[Samba] Using samba-tool from Domain member
Rowland Penny
rpenny at samba.org
Tue Jan 8 22:02:41 UTC 2019
On Tue, 8 Jan 2019 13:13:15 -0800
Luke Barone via samba <samba at lists.samba.org> wrote:
> Hi list,
>
> I'm trying to work on a script that should not care what DC is up, as
> long as one is. I want to be able to use the samba-tool command in
> our Samba-AD domain from a domain member, using kerberos.
>
> I have the kinit command granting me a ticket. I want to use that
> ticket to remotely add users to the domain controller, while I'm on
> the domain member's console. For example:
>
> root at fileserver.example.com:~# kinit administrator
> Password for administrator at EXAMPLE.COM:
> root at fileserver.example.com:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at EXAMPLE.COM
>
> Valid starting Expires Service principal
> 08/01/19 13:03:00 08/01/19 23:03:00 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> renew until 09/01/19 13:02:59
>
> root at fileserver.example.com:~# samba-tool user list --kerberos=yes
> ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line
> 445, in run
> attrs=["samaccountname"])
>
>
> The commands run fine from the domain controller, but we want to run
> the commands from a member server. Is this possible, either using
> usernames/passwords or kerberos? We are on Debian 9.6, running Samba
> 4.5.12-Debian (Yes, I know it's EOL for Samba, but it's the latest in
> the repo).
You don't actually need kerberos to list users from a Unix domain
member, you need to run the command as root and add '-H
ldap://DC_SHORT_HOSTNAME'
Rowland
More information about the samba
mailing list