Web lists-archives.com

Re: [Samba] Using samba-tool from Domain member




I should have been more specific. I'm trying to add users; I figured
listing the users was a good test. I'm sure it's expected, but I'm now
seeing the following:

# samba-tool user create test.user -H ldap://dc1
New Password:
Retype Password:
ERROR(ldb): Failed to add user 'test.user':  - LDAP error 1
LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
authentication> <>

I tried using the -U and -P switch (as a test), and it claimed that the
Administrator was "unable to get access to CN=....". I used the "--kerberos
yes" switch with the -H ldap://dc1, and that works!


On Tue, Jan 8, 2019 at 2:03 PM Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Tue, 8 Jan 2019 13:13:15 -0800
> Luke Barone via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hi list,
> >
> > I'm trying to work on a script that should not care what DC is up, as
> > long as one is. I want to be able to use the samba-tool command in
> > our Samba-AD domain from a domain member, using kerberos.
> >
> > I have the kinit command granting me a ticket. I want to use that
> > ticket to remotely add users to the domain controller, while I'm on
> > the domain member's console. For example:
> >
> > root@xxxxxxxxxxxxxxxxxxxxxx:~# kinit administrator
> > Password for administrator@xxxxxxxxxxx:
> > root@xxxxxxxxxxxxxxxxxxxxxx:~# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administrator@xxxxxxxxxxx
> >
> > Valid starting     Expires            Service principal
> > 08/01/19 13:03:00  08/01/19 23:03:00  krbtgt/EXAMPLE.COM@xxxxxxxxxxx
> >         renew until 09/01/19 13:02:59
> >
> > root@xxxxxxxxxxxxxxxxxxxxxx:~#   samba-tool user list --kerberos=yes
> > ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line
> > 445, in run
> >     attrs=["samaccountname"])
> >
> >
> > The commands run fine from the domain controller, but we want to run
> > the commands from a member server. Is this possible, either using
> > usernames/passwords or kerberos? We are on Debian 9.6, running Samba
> > 4.5.12-Debian (Yes, I know it's EOL for Samba, but it's the latest in
> > the repo).
>
> You don't actually need kerberos to list users from a Unix domain
> member, you need to run the command as root and add '-H
> ldap://DC_SHORT_HOSTNAME'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba