[Samba] Usage of the machine account for ldapsearch

Matthias Kühne | Ellerhold Aktiengesellschaft matthias.kuehne at ellerhold.de
Wed Feb 4 06:45:48 UTC 2026 

Hallo lovely samba-people,

we've got some script that automate some tasks like Creation of 
direction for samba users based on their AD groups. So we need to query 
the complete group list of AD-Users in a bash or python script regularly.

ATM we're creating a new user for this, exporting his keytab and using 
kinit and ldapsearch -Y GSSAPI for this.

These scripts run on domain-joined debian servers. So they have a 
machine account for winbind to get the same data. Can we use this 
machine account to query the group membership of users somehow? "net ads 
keytab list" shows a lot of principals:

Vno  Type                                        Principal
   1  aes256-cts-hmac-sha1-96  TEST-SERVER$@AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96  TEST-SERVER$@AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 TEST-SERVER$@AD.ELLERHOLD.LAN
   1  aes256-cts-hmac-sha1-96 
  HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96 
  HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 HOST/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  aes256-cts-hmac-sha1-96 
  RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96 
  RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 
RestrictedKrbHost/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  aes256-cts-hmac-sha1-96  HOST/TEST-SERVER at AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96  HOST/TEST-SERVER at AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 HOST/TEST-SERVER at AD.ELLERHOLD.LAN
   1  aes256-cts-hmac-sha1-96 
  RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96 
  RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 RestrictedKrbHost/TEST-SERVER at AD.ELLERHOLD.LAN
   1  aes256-cts-hmac-sha1-96 
  host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96 
  host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 host/TEST-SERVER.ad.ellerhold.lan at AD.ELLERHOLD.LAN
   1  aes256-cts-hmac-sha1-96  host/TEST-SERVER at AD.ELLERHOLD.LAN
   1  aes128-cts-hmac-sha1-96  host/TEST-SERVER at AD.ELLERHOLD.LAN
   1  arcfour-hmac-md5 host/TEST-SERVER at AD.ELLERHOLD.LAN

I can run kinit 'TEST-SERVER$@AD.ELLERHOLD.LAN' and it prompts me for a 
PW. There must be a keytab somewhere on this server that I can use, right?

Alternativly can I query winbind directly via bash / python? I guess I 
could always run "groups <User>" to get the groups...

Thanks in advance and have a nice day!

-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: https://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: https://www.ellerhold.de/datenschutz/

More information about the samba mailing list