Web lists-archives.com

Re: [Samba] Kerberos fails in some cases




On Mon, 25 Mar 2019 20:33:44 -0300
Sergio Belkin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> El lun., 25 mar. 2019 a las 19:41, Sergio Belkin (<sebelk@xxxxxxxxx>)
> escribió:
> 
> > Hi folks,
> > I can use kerberos to create or delete user, eg:
> >
> > samba-tool user create test -k yes
> >
> > however, if I want to perform a backup it fails:
> >
> > samba-tool domain backup online --targetdir=/srv/backup
> > --server=192.168.50.40 -k yes
> > gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO
> > negTokenInit request
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_INVALID_PARAMETER Failed to connect to
> > 'ldap://192.168.50.40' with backend 'ldap': LDAP client internal
> > error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception -
> > LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 177, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/domain_backup.py",
> > line 228, in run dns_backend='SAMBA_INTERNAL', targetdir=tmpdir)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1509,
> > in join_clone
> >     include_secrets=include_secrets)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1584,
> > in __init__
> >     dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 98, in
> > __init__
> >     credentials=ctx.creds, lp=ctx.lp)
> >   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 64,
> > in __init__
> >     options=options)
> >   File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line
> > 115, in __init__
> >     self.connect(url, flags, options)
> >   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 79,
> > in connect
> >     options=options)
> >
> > What could be wrong?
> >
> > I use samba 4.9.3 on Debian (Van Belle repo)
> >
> > Thanks in advance!
> >
> > --
> > --
> > Sergio Belkin
> > LPIC-2 Certified - http://www.lpi.org
> >  
> 
> 
> I've found that is an error using IP address with kerberos, that's
> wrong, anyway, if I use hostname it prompts me for the password:
> 
> samba-tool domain backup online --targetdir=/srv/backup --server=
> samba4.example.com  -k yes -d3
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> resolve_lmhosts: Attempting lmhosts lookup for name
> samba4.example.com<0x20> Password for [EXAMPLE\root]:
> 
> Don't understand why it cannot resolv samba4.example.com, because it
> can outside of this command....
> 
> Please could you help me?
> 
> 

That isn't the problem ;-)
The problem is that you are not giving a domain user, so it is falling
back to the logged in user 'root' and this user cannot have a kerberos
ticket.
You need to 'kinit' as a domain user with the required rights,
'Administrator' for instance, then add '-U Administrator' to the
command.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba