[Samba] Looking for Python docs/examples to modify DNS via keytab

christian baltini christian.baltini at gmail.com
Sun Jun 30 23:19:14 UTC 2024 

Thank you David, this is a very helpful start.

I have altered the zonelist function in the example you linked like so:

def zonelist(server):  # Username and password arguments have been removed
    parser = OptionParser()
    sambaopts = SambaOptions(parser)
    credopts = CredentialsOptions(parser)
    credopts.creds.set_kerberos_state(MUST_USE_KERBEROS)
    credopts.ask_for_password = False
    credopts.creds.set_named_ccache("/tmp/kk_bak")
    credopts.machine_pass = False
    lp = sambaopts.get_loadparm()
    lp.set('realm', __domain_name(server))
    lp.set('debug level', '3')
    output = StringIO()
    cmd = dns.cmd_zonelist()
    cmd.outf = output

When calling it, I’m getting this error:

Failed to get kerberos credentials (kerberos required): kinit_to_ccache: No password available for kinit

Cannot obtain client GSS credentials we need to contact (null) : kinit_to_ccache: No password available for kinit

gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating NEG_TOKEN_INIT for host/UBU1.SAMBA1.MYDOMAIN.COM failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
Could not find GENSEC backend for auth_type=10
Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:172.16.191.131[49153,sign,target_hostname=UBU1.SAMBA1.MYDOMAIN.COM,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=172.16.191.131] NT_STATUS_INVALID_PARAMETER

My krb5 cache at /tmp/kk_bak is valid as it works with "samba-tool dns zonelist ubu1.samba1.mydomain.com --use-krb5-ccache /tmp/kk_bak”

Thanks in advance to anybody with any advice!

CB


> On Jun 29, 2024, at 1:11 AM, David Mulder via samba <samba at lists.samba.org> wrote:
> 
> On 6/28/24 10:07 PM, christian baltini via samba wrote:
>> Hello all,
>> 
>> I am looking to rewrite the shell script here (https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records) in Python.
>> 
>> Is anyone aware of any resources (docs, existing code, etc.) that may be useful in doing so?  I’m not finding any introductory docs or simple code examples that show things like instantiating a DNS server connection with a keytab.
> It's a bit awkward, but you can import and call the samba-tool commands directly within Python (samba-tool of course is written in Python). See an example of this hack here:
> https://github.com/yast/yast2-dns-manager/blob/master/src/modules/SambaToolDnsAPI.py 
> 
> This example uses username/password for auth, but the CredentialsOptions parser can be instructed to use the keytab, IIUC: https://gitlab.com/samba-team/samba/-/blob/master/python/samba/getopt.py?ref_type=heads#L384 
> 
> If you don't like this hacky approach, you could re-implement something using the same calls made by samba-tool: https://gitlab.com/samba-team/samba/-/blob/master/python/samba/netcmd/dns.py?ref_type=heads
> 
> This is probably a more appropriate approach, but a bit more work.
> 
> -- 
> David Mulder
> Labs Software Engineer, Samba
> SUSE
> 1221 S Valley Grove Way, Suite 500
> Pleasant Grove, UT 84062
> (P)+1 385.208.2989
> dmulder at suse.com
> http://www.suse.com
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list