[Samba] Looking for Python docs/examples to modify DNS via keytab

christian baltini christian.baltini at gmail.com
Sun Jun 30 08:16:29 UTC 2024 

It does work!  I know enough about kerberos that I tried to use the DNS name, but I must have had it wrong before, as I thought it did not work.  It does, so thank you so confirming that I was on the right track.

I think I am close to a basic Python function to list zones.  I have my krb cache at /tmp/kk and have checked using samba-tool on the CLI.

def zonelist(server):
    parser = OptionParser()
    sambaopts = SambaOptions(parser)
    credopts = CredentialsOptions(parser)
    credopts._set_krb5_ccache(arg =  "/tmp/kk", parser = parser). # MISSING option and opt_str
    credopts.ask_for_password = False
    lp = sambaopts.get_loadparm()
    lp.set('realm', __domain_name(server))
    lp.set('debug level', '0')
    output = StringIO()
    cmd = dns.cmd_zonelist()
    cmd.outf = output

Looking at _set_krb_ccache (https://gitlab.com/samba-team/samba/-/blob/master/python/samba/getopt.py?ref_type=heads#L441) I see that “arg” appears to be the path to my krb cc.  What do I supply for opt and opt_str in calling that function?

Apologies for your CC Rowland, and thanks again.

> On Jun 30, 2024, at 12:56 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Sun, 30 Jun 2024 00:22:57 -0700
> christian baltini <christian.baltini at gmail.com> wrote:
>> 
>> This is the output I get:
>> 
>> (venv) root at ubu1:~/py_krb# samba-tool dns zonelist localhost
>> --use-krb5-ccache=/tmp/krb5cc_0 Failed to bind to uuid
>> 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for
>> ncacn_ip_tcp:127.0.0.1[49153,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1]
>> NT_STATUS_INVALID_PARAMETER ERROR: Connecting to DNS RPC server
>> 127.0.0.1 failed with (3221225485, 'An invalid parameter was passed
>> to a service or function.')
>> 
>> Am I wrong in thinking this is necessarily some type of kerberos auth
>> issue?
>> 
> 
> Well, yes and no ;-)
> 
> Kerberos only works using names not ipaddresses, 'localhost' becomes
> '127.0.0.1' and there is your 'NT_STATUS_INVALID_PARAMETER'. Try it
> with the DCs short hostname.
> 
> Rowland
> 
> PS, please just reply to the list, do not 'CC' me.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list