[Samba] samba-tool and --kerberos

mathias dufresne infractory at gmail.com
Mon Oct 19 12:27:28 UTC 2015


You're right, but I tried successfully -k only with smbclient which accept
-U and -k together (now I'm here I must say smbclient uses -k without
argument).

For net command I was not able to make -k nor "--kerberos yes"
m707:~# net rpc service list  --kerberos=yes
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

m707:~# net rpc service list -S m707 -k=yes

Invalid option -k=yes: unknown option
Usage:
  Use 'net help rpc' to get more extensive information about 'net rpc'
commands.
  Use 'net help rap' to get more extensive information about 'net rap'
commands.
 ....

m707:~# net rpc service list -S m707 --kerberos yes
Usage: net rpc service list


Only "--kerberos=yes" seems to work:
m707:~# *net rpc service list  --kerberos=yes -S <DCname>*
Spooler                 "Print Spooler"
NETLOGON                "Net Logon"
RemoteRegistry          "Remote Registry Service"
WINS                    "Windows Internet Name Service (WINS)"

I'll try to propose some modification of associated man pages but I'm quiet
lazy...

2015-10-19 13:57 GMT+02:00 Stefan Kania <stefan at kania-online.de>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 19.10.15 um 13:05 schrieb mathias dufresne:
> > Hi Stefan,
> >
> > Thank you a lot for that, it helped me much.
> >
> > To be a bit more precise, thanks again to your example, to
> > authenticate samba-tool command using --kerberos: syntax is "-k
> > yes" or "--kerberos=yes" or "--kerberos yes" AND -U username must
> > not be present.
> You are using Kerberos because you don't want to use "-U
> administrator" :-)
> > "-k=yes" is not working.
> No
> >
> > 2015-10-19 11:59 GMT+02:00 Stefan Kania <stefan at kania-online.de>:
> >
> > You have to use "-k yes" for example:
> >
> > samba-tool user list -k yes
> >
> > Bevor you can use it, you must get a Ticket with "kinit
> > administrator"
> >
> > Stefan
> >
> > Am 19.10.15 um 10:49 schrieb mathias dufresne:
> >>>> Hi all,
> >>>>
> >>>> I recently tried to use --kerberos switch in addition to
> >>>> some samba-tool command (mainly samba-tool user create)
> >>>> without any success. The man page of samba-tool is quiet shy
> >>>> on that subject: -k KERBEROS|--kerberos=KERBEROS Use
> >>>> Kerberos
> >>>>
> >>>> Looking into samba-tool python script, in fact into
> >>>> /usr/lib64/python2.7/site-packages/samba/netcmd/user.py, I
> >>>> can't find any reference to kerberos. Perhaps the piece of
> >>>> --help telling we can use that switch comes from other script
> >>>> (samba-tool itself?) and not related to samba-tool user
> >>>> command, in that case inclusion of that piece of help should
> >>>> be reviewed.
> >>>>
> >>>> Anyone knows how to use --kerberos successfully with
> >>>> samba-tool?
> >>>>
> >>>> Best regards,
> >>>>
> >>>> mathias
> >>>>
> >
> >
> >>
> >> -- To unsubscribe from this list go to the following URL and read
> >> the instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
> - --
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
>
>
> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
> E-Mail. Weiter Informationen unter http://www.gnupg.org
>
> Mein Schlüssel liegt auf
>
> hkp://subkeys.pgp.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>
> iEYEARECAAYFAlYk2pMACgkQ2JOGcNAHDTYk9gCfebaDwUH59VN1ZLiDLyC41s97
> GzYAnR9HvcARtr2PFawPlusGMtnJdYM9
> =ai19
> -----END PGP SIGNATURE-----
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list