Hello, asking on samba@ without success ( https://lists.samba.org/archive/samba/2014-January/178043.html ). Hopefully it is OK to report this as documentation bug: samba 4.1.4 on Debian the samba-tool manpage says: ... -k KERBEROS|--kerberos=KERBEROS Use Kerberos ... adding a dns record works as expected: root@samba:~# samba-tool dns add localhost example.com www CNAME web.example.com Password for [administrator@EXAMPLE.COM]: Record added successfully Now trying to use the -k option: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@EXAMPLE.COM Valid starting Expires Service principal 16.01.2014 14:32:30 17.01.2014 00:32:30 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 17.01.2014 14:32:26 root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> samba-tool dns add: error: -k option requires an argument root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k KERBEROS Usage: samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> samba-tool dns add: error: invalid -k option value: KERBEROS root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k yes Failed to setup SPNEGO negTokenInit request: NT_STATUS_INVALID_PARAMETER Failed to start GENSEC client mechanism (null): NT_STATUS_INVALID_PARAMETER Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:127.0.0.1[1024,sign] NT_STATUS_INVALID_PARAMETER ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 1056, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) Could the manpage describe what the -k option should be? Thank you.
Tried '-k yes' and '--kerberos=yes' (without quotes, of course) as suggested at https://lists.samba.org/archive/samba/2014-January/178268.html and http://www.eenyhelp.com/answer/samba-samba-tool-kerberos-help-215840236.html. It fails with the following: # samba-tool dns add localhost $(hostname -d) example a 192.168.0.1 --kerberos=yes Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for ncacn_ip_tcp:127.0.0.1[1024,sign,abstract_syntax=50abc2a4-574d-40b3-9d66-ee4fd5fba076/0x00000005,localaddress=127.0.0.1] NT_STATUS_INVALID_PARAMETER ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 1062, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 40, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) (`kinit` was invoked OK right before). If I give an actual DNS name of the server instead of localhost, smaba-tool keeps asking for password. If I give '-U username%password', samba-tool works as expected with both localhost and a server name. samba-tool from sernet-samba-ad-4.2.12-22.el7.x86_64
> root@samba:~# samba-tool dns add localhost example.com www2 CNAME web.example.com -k yes That should have worked. Something other than the -k argument was wrong. Now -k is deprecated, and the manpage says: --use-kerberos=desired|required|off This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connecting to a service. Note that specifying this parameter here will override the client use kerberos parameter in the /usr/local/samba/etc/smb.conf file. So we can call this bug as described fixed. The wider bug, wherein samba-tool doesn't tell you WTF is going on, is an ongoing saga. Please reopen and change the title if you think you can succinctly characterise that.