Bug 10399 - samba-tool -k option requires an argument but which one:)
Summary: samba-tool -k option requires an argument but which one:)
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.1.4
Hardware: All All
: P5 minor (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-23 14:51 UTC by Noël Köthe
Modified: 2022-08-20 03:13 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Noël Köthe 2014-01-23 14:51:40 UTC
Hello,

asking on samba@ without success ( https://lists.samba.org/archive/samba/2014-January/178043.html ). Hopefully it is OK to report this as documentation bug:

samba 4.1.4 on Debian

the samba-tool manpage says:
...
       -k KERBEROS|--kerberos=KERBEROS
           Use Kerberos
...

adding a dns record works as expected:
root@samba:~# samba-tool dns add localhost example.com www CNAME web.example.com 
Password for [administrator@EXAMPLE.COM]:
Record added successfully

Now trying to use the -k option:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM

Valid starting       Expires              Service principal
16.01.2014 14:32:30  17.01.2014 00:32:30  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 17.01.2014 14:32:26

root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k
Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>

samba-tool dns add: error: -k option requires an argument


root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k KERBEROS
Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>

samba-tool dns add: error: invalid -k option value: KERBEROS

root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k yes
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INVALID_PARAMETER
Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[1024,sign] NT_STATUS_INVALID_PARAMETER
ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1056, in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

Could the manpage describe what the -k option should be?

Thank you.
Comment 1 iamdexpl 2016-06-14 21:31:24 UTC
Tried '-k yes' and '--kerberos=yes' (without quotes, of course) as suggested at https://lists.samba.org/archive/samba/2014-January/178268.html and http://www.eenyhelp.com/answer/samba-samba-tool-kerberos-help-215840236.html. It fails with the following:


# samba-tool dns add localhost $(hostname -d) example a 192.168.0.1 --kerberos=yes
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[1024,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_INVALID_PARAMETER
ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 1062, in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 40, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

(`kinit` was invoked OK right before). If I give an actual DNS name of the server instead of localhost, smaba-tool keeps asking for password. If I give '-U username%password', samba-tool works as expected with both localhost and a server name.

samba-tool from sernet-samba-ad-4.2.12-22.el7.x86_64
Comment 2 Douglas Bagnall 2022-08-20 03:13:31 UTC
> root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k yes

That should have worked. Something other than the -k argument was wrong.

Now -k is deprecated, and the manpage says:

       --use-kerberos=desired|required|off

           This parameter determines whether Samba client tools will try to
           authenticate using Kerberos. For Kerberos authentication you need
           to use dns names instead of IP addresses when connecting to a
           service.

           Note that specifying this parameter here will override the client
           use kerberos parameter in the /usr/local/samba/etc/smb.conf file.


So we can call this bug as described fixed.

The wider bug, wherein samba-tool doesn't tell you WTF is going on, is an ongoing saga. Please reopen and change the title if you think you can succinctly characterise that.