[Samba] samba-tool and -A option (credentials in file)

Franta Hanzlík franta at hanzlici.cz
Thu Aug 25 19:11:36 UTC 2022

Hello all,

I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
internal Heimdal krb5 (I hope for better stability than with Fedora's
MIT krb5).
Samba seems working, as well as new AD DC provisioning. Now I want
using samba-tool in batch shell script for setting DC DB, and I would
like to use admin authentication using a name and password stored in
a file - and this is where I came across.

The only note that it should work somehow is samba-tool man page, where
in '-U|--user' option paragraph is:
A third option is to use a credentials file which contains the plaintext
of the username and password. This option is mainly provided for scripts
where the admin does not wish to pass the credentials on the command line
or via environment variables. If this method is used, make certain that
the permissions on the file restrict access from unwanted users.
See the -A for more details.

Nothing else in man page, nor did I find anything on the Internet about
it. And all attempts as:

# samba-tool dns zonecreate localhost 1.168.192.in-addr.arpa -N -A ~/sambaAdmin
Usage: samba-tool dns zonecreate <server> <zone> [options]
samba-tool dns zonecreate: error: no such option: -A

# samba-tool dns zonecreate localhost 1.168.192.in-addr.arpa -N -U ~/sambaAdmin
cli_credentials_failed_kerberos_login: krb5_cc_get_principal failed: No such file or directory
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:[49153,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=] NT_STATUS_LOGON_FAILURE
ERROR: Connecting to DNS RPC server failed with (3221225581, 'The attempted logon is invalid. This is either due to a bad username or authentication information.')

etc. was unsuccessful, and according to:

# samba-tool --help
Usage: samba-tool <subcommand>

Main samba administration tool.

  -h, --help       show this help message and exit

  Version Options:
    -V, --version  Display version number

Available subcommands:
  computer    - Computer management.
  contact     - Contact management.
  dbcheck     - Check local AD database for errors.
  delegation  - Delegation management.
  dns         - Domain Name Service (DNS) management.
  domain      - Domain management.
  drs         - Directory Replication Services (DRS) management.
  dsacl       - DS ACLs manipulation.
  forest      - Forest management.
  fsmo        - Flexible Single Master Operations (FSMO) roles management.
  gpo         - Group Policy Object (GPO) management.
  group       - Group management.
  ldapcmp     - Compare two ldap databases.
  ntacl       - NT ACLs manipulation.
  ou          - Organizational Units (OU) management.
  processes   - List processes (to aid debugging on systems without setproctitle).
  rodc        - Read-Only Domain Controller (RODC) management.
  schema      - Schema querying and management.
  sites       - Sites management.
  spn         - Service Principal Name (SPN) management.
  testparm    - Syntax check the configuration file.
  time        - Retrieve the time on a server.
  user        - User management.
  visualize   - Produces graphical representations of Samba network state.
For more help on a specific subcommand, please type: samba-tool <subcommand> (-h|--help)

# samba-tool dns zonecreate --help
Usage: samba-tool dns zonecreate <server> <zone> [options]

Create a zone.

  -h, --help            show this help message and exit
                        Client Version

  Credentials Options:
                        DN to use for a simple bind
    -U USERNAME, --username=USERNAME
    -W WORKGROUP, --workgroup=WORKGROUP
    -N, --no-pass       Don't ask for a password
                        IP address of server
    -P, --machine-pass  Use stored machine account password
                        Use Kerberos authentication
                        Kerberos Credentials cache
    -k KERBEROS, --kerberos=KERBEROS
                        DEPRECATED: Migrate to --use-kerberos

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Version Options:
    -V, --version       Display version number

there -A option nor credentials file isn't mentioned.

Where am I making mistake?
How should I use the credentials file?

PS: I was trying build Samba as set of RPM packages, inspires
with Fedora samba.spec file with some modifications, and talloc,
tevent, tdb and ldb are external - not sure, when there may be 
Thanks, Franta Hanzlík

More information about the samba mailing list