[Samba] Kerberos fails in some cases

Sergio Belkin sebelk at gmail.com
Tue Mar 26 17:10:12 UTC 2019 

El mar., 26 mar. 2019 a las 5:36, Rowland Penny via samba (<
samba at lists.samba.org>) escribió:

> On Mon, 25 Mar 2019 20:33:44 -0300
> Sergio Belkin via samba <samba at lists.samba.org> wrote:
>
> > El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk at gmail.com>)
> > escribió:
> >
> > > Hi folks,
> > > I can use kerberos to create or delete user, eg:
> > >
> > > samba-tool user create test -k yes
> > >
> > > however, if I want to perform a backup it fails:
> > >
> > > samba-tool domain backup online --targetdir=/srv/backup
> > > --server=192.168.50.40 -k yes
> > > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> > > negTokenInit request
> > > Failed to bind - LDAP client internal error:
> > > NT_STATUS_INVALID_PARAMETER Failed to connect to
> > > 'ldap://192.168.50.40' with backend 'ldap': LDAP client internal
> > > error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception -
> > > LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> > >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > > line 177, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
> > > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> > > line 228, in run dns_backend='SAMBA_INTERNAL', targetdir=tmpdir)
> > >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1509,
> > > in join_clone
> > >     include_secrets=include_secrets)
> > >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1584,
> > > in __init__
> > >     dns_backend=dns_backend)
> > >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98, in
> > > __init__
> > >     credentials=ctx.creds, lp=ctx.lp)
> > >   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64,
> > > in __init__
> > >     options=options)
> > >   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line
> > > 115, in __init__
> > >     self.connect(url, flags, options)
> > >   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79,
> > > in connect
> > >     options=options)
> > >
> > > What could be wrong?
> > >
> > > I use samba 4.9.3 on Debian (Van Belle repo)
> > >
> > > Thanks in advance!
> > >
> > > --
> > > --
> > > Sergio Belkin
> > > LPIC-2 Certified - http://www.lpi.org
> > >
> >
> >
> > I've found that is an error using IP address with kerberos, that's
> > wrong, anyway, if I use hostname it prompts me for the password:
> >
> > samba-tool domain backup online --targetdir=/srv/backup --server=
> > samba4.example.com  -k yes -d3
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'http_negotiate' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > samba4.example.com<0x20> Password for [EXAMPLE\root]:
> >
> > Don't understand why it cannot resolv samba4.example.com, because it
> > can outside of this command....
> >
> > Please could you help me?
> >
> >
>
> That isn't the problem ;-)
> The problem is that you are not giving a domain user, so it is falling
> back to the logged in user 'root' and this user cannot have a kerberos
> ticket.
> You need to 'kinit' as a domain user with the required rights,
> 'Administrator' for instance, then add '-U Administrator' to the
> command.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland,

That made the trick. I wonder why is kinit not needed when
creating/deleting users... :-?


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

More information about the samba mailing list