[Samba] net ads status stripped output

Rowland penny rpenny at samba.org
Thu Jun 4 09:28:59 UTC 2020

On 04/06/2020 10:00, Markus Lindberg wrote:
>> Ah, I think I understand what you are doing now, but I think you must be
>> running the command as root. If I run the command it just errors out
>> 'ERROR: Unable to open secrets database', but if I run it using sudo, I
>> get a similar output as yours.
>> You are quite correct, '-P' means use the machine account and this is a
>> very unprivileged user.
> That is fair. When I run the `net ads status` command I run it as a
> somewhat 'normal' user. I can always authenticate with an AD account if
> I supply the '-U' flag or if I supply the '-k' flag (if `kinit` has
> been run). I always get the exact same stripped output.
> The attribute that I'm looking for is the 'distinguishedName' attribute.
> But it is not displayed when I run `net ads status` and I suspect that
> _something_ has changed that limits this output. So my question is, has
> this been changed? If so I need to find another way to fetch this
> attribute.
> --
> Markus

I suppose it must have changed, but  you can get it with something like 

ldbsearch -H ldap://$(host -t SRV _ldap._tcp.pdc._msdcs.$(hostname -d) | 
awk '{print $NF}') -P "(sAMAccountName=$(hostname -s)\$)" 
distinguishedName | grep 'distinguishedName' | awk '{print $NF}'

It will involve installing ldb-tools


More information about the samba mailing list