[Samba] Using samba-tool from Domain member

Rowland Penny rpenny at samba.org
Tue Jan 8 22:02:41 UTC 2019

On Tue, 8 Jan 2019 13:13:15 -0800
Luke Barone via samba <samba at lists.samba.org> wrote:

> Hi list,
> I'm trying to work on a script that should not care what DC is up, as
> long as one is. I want to be able to use the samba-tool command in
> our Samba-AD domain from a domain member, using kerberos.
> I have the kinit command granting me a ticket. I want to use that
> ticket to remotely add users to the domain controller, while I'm on
> the domain member's console. For example:
> root at fileserver.example.com:~# kinit administrator
> Password for administrator at EXAMPLE.COM:
> root at fileserver.example.com:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at EXAMPLE.COM
> Valid starting     Expires            Service principal
> 08/01/19 13:03:00  08/01/19 23:03:00  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>         renew until 09/01/19 13:02:59
> root at fileserver.example.com:~#   samba-tool user list --kerberos=yes
> ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line
> 445, in run
>     attrs=["samaccountname"])
> The commands run fine from the domain controller, but we want to run
> the commands from a member server. Is this possible, either using
> usernames/passwords or kerberos? We are on Debian 9.6, running Samba
> 4.5.12-Debian (Yes, I know it's EOL for Samba, but it's the latest in
> the repo).

You don't actually need kerberos to list users from a Unix domain
member, you need to run the command as root and add '-H


More information about the samba mailing list