The samba-tool normally succeeds and produces good output, but when the output is piped into another tool it generates an error. I have tested this with a couple of samba-tool commands, and with both 'grep' and 'less' as the target of the output. # samba-tool dns query ad.example.com ad.example.com @ ALL -U Administrator |grep -i samba SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:ad.example.com[49171,sign] NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 984, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) # samba-tool dns serverinfo ad.example.com -U Administrator|less SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:ad.example.com[49171,sign] NT_STATUS_LOGON_FAILURE ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 703, in run dns_conn = dns_connect(server, self.lp, self.creds) File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect dns_conn = dnsserver.dnsserver(binding_str, lp, creds) Note that if the output is not piped, there is good output and no exit error status. # samba-tool dns serverinfo ad.example.com -U Administrator Password for [IGIAD\Administrator]: SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER dwVersion : 0x1db10106 fBootMethod : DNS_BOOT_METHOD_DIRECTORY fAdminConfigured : TRUE fAllowUpdate : TRUE fDsAvailable : TRUE pszServerName : AD.ad.example.com pszDsContainer : cn=MicrosoftDNS,cn=System,DC=ad,DC=example,DC=com aipServerAddrs : ['00:00:fe80:00:00:00:787f:3aab (53)', '192.XX.XXX.77 (53)'] aipListenAddrs : [] aipForwarders : ['192.XX.XXX.41 (53)'] dwLogLevel : 0 dwDebugLevel : 0 dwForwardTimeout : 3 dwRpcPrototol : 0x5 dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES cAddressAnswerLimit : 0 dwRecursionRetry : 3 dwRecursionTimeout : 8 dwMaxCacheTtl : 86400 dwDsPollingInterval : 180 dwScavengingInterval : 168 dwDefaultRefreshInterval : 168 dwDefaultNoRefreshInterval : 168 fAutoReverseZones : TRUE fAutoCacheUpdate : FALSE fRecurseAfterForwarding : FALSE fForwardDelegations : FALSE fNoRecursion : FALSE fSecureResponses : TRUE fRoundRobin : TRUE fLocalNetPriority : TRUE fBindSecondaries : FALSE fWriteAuthorityNs : FALSE fStrictFileParsing : FALSE fLooseWildcarding : FALSE fDefaultAgingState : FALSE dwRpcStructureVersion : 0x2 aipLogFilter : [] pwszLogFilePath : pszDomainName : ad.example.com pszForestName : ad.example.com pszDomainDirectoryPartition : DomainDnsZones.ad.example.com pszForestDirectoryPartition : ForestDnsZones.ad.example.com dwLocalNetPriorityNetMask : 0x0 dwLastScavengeTime : 0 dwEventLogLevel : 4 dwLogFileMaxSize : 500000000 dwDsForestVersion : 0 dwDsDomainVersion : 4 dwDsDsaVersion : 0 fReadOnlyDC : FALSE # echo $? 0 This is on Ubuntu 14.04 prerelease. # dpkg -l|grep samba ii python-samba 2:4.1.6+dfsg-1ubuntu1 amd64 ii samba 2:4.1.6+dfsg-1ubuntu1 amd64 ii samba-common 2:4.1.6+dfsg-1ubuntu1 all ii samba-common-bin 2:4.1.6+dfsg-1ubuntu1 amd64 ii samba-dsdb-modules 2:4.1.6+dfsg-1ubuntu1 amd64 ii samba-libs:amd64 2:4.1.6+dfsg-1ubuntu1 amd64 ii samba-vfs-modules 2:4.1.6+dfsg-1ubuntu1 amd64
Closing this bug report, it is not a bug, it is a configuration error by the reporter, they should have added '--password=administrators_password' before the pipe.
I also hit this problem a few time, sometimes it's just no option to pass a plaintext password on the cmdline! The behavior also differs compared to tool written in C. I think should fix and make things compatible.
Since it was already reopend. yes its a bug, no its not. My results on 4.12.5 man samba-tool is unclear how to use -k or --kerberos resulting in more people using -U Administrator.. which expect a password and make the pipe fail, in my opinion this is a bug. The workaround with kerberos works fine, only this is an bad example on howto use kerberos with samba-tool -k KERBEROS|--kerberos=KERBEROS Use Kerberos who could guess its just.. -kyes or --kerberos=yes Took me some time, this can be better phrased. Use kerberos auth (default :no ) -k yes|--kerberos=yes That simple change in the manual helps a lot. And using it like that. samba-tool dns query dc1 internal.domain.tld @ all -kyes |grep something Works as expected. After a kdestroy the output isnt nice again. samba-tool dns query dc1 internal.domain.tld @ all -k yes|grep something cli_credentials_failed_kerberos_login: krb5_cc_get_principal failed: No such file or directory Failed to bind to uuid 30cba4a2-372d-10c5-a53d-ee4fd5fba076 for ncacn_ip_tcp:192.168.0.11[49153,sign,target_hostname=dc1,abstract_syntax=30cba4a2-372d-10c5-a53d-ee4fd5fba076/0x00000005,localaddress=192.168.0.11] NT_STATUS_UNSUCCESSFUL ERROR: Connecting to DNS RPC server dc1 failed with (3221225473, '{Operation Failed} The requested operation was unsuccessful.')
And closing it again, it is not a bug, it is a lack of authentication, if you do not want to add the password before the pipe (the lack of which is causing the problem), then run kinit as root, replace '-U Administrator' with '-k yes' and it will work.