[Samba] samba-tool and -A option (credentials in file)

Rowland Penny rpenny at samba.org
Thu Aug 25 19:53:08 UTC 2022

On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzlík via samba wrote:
> Hello all,
> I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
> internal Heimdal krb5 (I hope for better stability than with Fedora's
> MIT krb5).
> Samba seems working, as well as new AD DC provisioning. Now I want
> using samba-tool in batch shell script for setting DC DB, and I would
> like to use admin authentication using a name and password stored in
> a file - and this is where I came across.
> The only note that it should work somehow is samba-tool man page,
> where
> in '-U|--user' option paragraph is:
> ...
> A third option is to use a credentials file which contains the
> plaintext
> of the username and password. This option is mainly provided for
> scripts
> where the admin does not wish to pass the credentials on the command
> line
> or via environment variables. If this method is used, make certain
> that
> the permissions on the file restrict access from unwanted users.
> See the -A for more details.

I think you have found a bug. I have never really read the samba-tool
manpage, the information you get from '--help' is usually sufficient. I
have never come across '-A' and samba-tool, this is probably because
you do not require it, you can just run kinit and then use kerberos.
Also when a user logs in, they get a kerberos ticket and you can also
use the computers ticket for searches etc.

To put it another way, there is no '-A' option and you do not use a
credentials file.


More information about the samba mailing list