[Samba] samba-tool and -A option (credentials in file)

Franta Hanzlík franta at hanzlici.cz
Fri Aug 26 02:32:44 UTC 2022

On Thu, 25 Aug 2022 20:53:08 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Thu, 2022-08-25 at 21:11 +0200, Franta Hanzlík via samba wrote:
> > Hello all,
> > 
> > I just build Samba-4.16.4 on Fedora 36 x86_64, as own build with
> > internal Heimdal krb5 (I hope for better stability than with Fedora's
> > MIT krb5).
> > Samba seems working, as well as new AD DC provisioning. Now I want
> > using samba-tool in batch shell script for setting DC DB, and I would
> > like to use admin authentication using a name and password stored in
> > a file - and this is where I came across.
> > 
> > The only note that it should work somehow is samba-tool man page,
> > where
> > in '-U|--user' option paragraph is:
> > ...
> > A third option is to use a credentials file which contains the
> > plaintext
> > of the username and password. This option is mainly provided for
> > scripts
> > where the admin does not wish to pass the credentials on the command
> > line
> > or via environment variables. If this method is used, make certain
> > that
> > the permissions on the file restrict access from unwanted users.
> > See the -A for more details.  
> I think you have found a bug. I have never really read the samba-tool
> manpage, the information you get from '--help' is usually sufficient. I
> have never come across '-A' and samba-tool, this is probably because
> you do not require it, you can just run kinit and then use kerberos.
> Also when a user logs in, they get a kerberos ticket and you can also
> use the computers ticket for searches etc.
> To put it another way, there is no '-A' option and you do not use a
> credentials file.
> Rowland
> -- 

Hi Rowland and Luke,
thanks for Your help. As I knew, that -A option in Samba-related tools
(samba-client, ldb-tools) already exist, I was convinced I was doing
something wrong...

But, Rowland - using kinit supposes interactive session and manualy
entered password, right? I think this isn't solving my problem for
non-interactive bash shell script. Or I'm missing something?

For now I have used --password ( -U USERNAME%PASSWORD should be same),
but I'd like the data in the file better ;)
Thanks, Frantа Hanzlik

More information about the samba mailing list