Bug 10539 - samba-tool fails with NT_STATUS_LOGON_FAILURE when output is piped
Summary: samba-tool fails with NT_STATUS_LOGON_FAILURE when output is piped
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.12.3
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-04 20:27 UTC by Carl Soderstrom
Modified: 2020-08-04 14:57 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carl Soderstrom 2014-04-04 20:27:25 UTC
The samba-tool normally succeeds and produces good output, but when the output is piped into another tool it generates an error. I have tested this with a couple of samba-tool commands, and with both 'grep' and 'less' as the target of the output.

 
# samba-tool dns query ad.example.com ad.example.com @ ALL -U Administrator |grep -i samba
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:ad.example.com[49171,sign] NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 984, in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)

# samba-tool dns serverinfo ad.example.com -U Administrator|less
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Failed to bind to uuid 50abc2a4-574d-40b3-9d66-ee4fd5fba076 for 50abc2a4-574d-40b3-9d66-ee4fd5fba076@ncacn_ip_tcp:ad.example.com[49171,sign] NT_STATUS_LOGON_FAILURE
ERROR(runtime): uncaught exception - (-1073741715, 'Logon failure')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 703, in run
    dns_conn = dns_connect(server, self.lp, self.creds)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 37, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)


Note that if the output is not piped, there is good output and no exit error status.

# samba-tool dns serverinfo ad.example.com -U Administrator
Password for [IGIAD\Administrator]:
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
  dwVersion                   : 0x1db10106
  fBootMethod                 : DNS_BOOT_METHOD_DIRECTORY
  fAdminConfigured            : TRUE
  fAllowUpdate                : TRUE
  fDsAvailable                : TRUE
  pszServerName               : AD.ad.example.com
  pszDsContainer              : cn=MicrosoftDNS,cn=System,DC=ad,DC=example,DC=com
  aipServerAddrs              : ['00:00:fe80:00:00:00:787f:3aab (53)', '192.XX.XXX.77 (53)']
  aipListenAddrs              : []
  aipForwarders               : ['192.XX.XXX.41 (53)']
  dwLogLevel                  : 0
  dwDebugLevel                : 0
  dwForwardTimeout            : 3
  dwRpcPrototol               : 0x5
  dwNameCheckFlag             : DNS_ALLOW_MULTIBYTE_NAMES
  cAddressAnswerLimit         : 0
  dwRecursionRetry            : 3
  dwRecursionTimeout          : 8
  dwMaxCacheTtl               : 86400
  dwDsPollingInterval         : 180
  dwScavengingInterval        : 168
  dwDefaultRefreshInterval    : 168
  dwDefaultNoRefreshInterval  : 168
  fAutoReverseZones           : TRUE
  fAutoCacheUpdate            : FALSE
  fRecurseAfterForwarding     : FALSE
  fForwardDelegations         : FALSE
  fNoRecursion                : FALSE
  fSecureResponses            : TRUE
  fRoundRobin                 : TRUE
  fLocalNetPriority           : TRUE
  fBindSecondaries            : FALSE
  fWriteAuthorityNs           : FALSE
  fStrictFileParsing          : FALSE
  fLooseWildcarding           : FALSE
  fDefaultAgingState          : FALSE
  dwRpcStructureVersion       : 0x2
  aipLogFilter                : []
  pwszLogFilePath             : 
  pszDomainName               : ad.example.com
  pszForestName               : ad.example.com
  pszDomainDirectoryPartition : DomainDnsZones.ad.example.com
  pszForestDirectoryPartition : ForestDnsZones.ad.example.com
  dwLocalNetPriorityNetMask   : 0x0
  dwLastScavengeTime          : 0
  dwEventLogLevel             : 4
  dwLogFileMaxSize            : 500000000
  dwDsForestVersion           : 0
  dwDsDomainVersion           : 4
  dwDsDsaVersion              : 0
  fReadOnlyDC                 : FALSE
# echo $?
0


This is on Ubuntu 14.04 prerelease.

# dpkg -l|grep samba
ii  python-samba                                          2:4.1.6+dfsg-1ubuntu1                               amd64        
ii  samba                                                 2:4.1.6+dfsg-1ubuntu1                               amd64        
ii  samba-common                                          2:4.1.6+dfsg-1ubuntu1                               all          
ii  samba-common-bin                                      2:4.1.6+dfsg-1ubuntu1                               amd64        
ii  samba-dsdb-modules                                    2:4.1.6+dfsg-1ubuntu1                               amd64        
ii  samba-libs:amd64                                      2:4.1.6+dfsg-1ubuntu1                               amd64        
ii  samba-vfs-modules                                     2:4.1.6+dfsg-1ubuntu1                               amd64
Comment 1 Rowland Penny 2020-05-14 12:30:36 UTC
Closing this bug report, it is not a bug, it is a configuration error by the reporter, they should have added '--password=administrators_password' before the pipe.
Comment 2 Stefan Metzmacher 2020-05-19 13:32:37 UTC
I also hit this problem a few time, sometimes it's just no option
to pass a plaintext password on the cmdline!

The behavior also differs compared to tool written in C.
I think should fix and make things compatible.
Comment 3 Louis 2020-07-14 12:45:26 UTC
Since it was already reopend. 

yes its a bug, no its not. 

My results on 4.12.5


man samba-tool is unclear how to use -k or --kerberos resulting in more people using -U Administrator.. 

which expect a password and make the pipe fail, in my opinion this is a bug.

The workaround with kerberos works fine, only this is an bad example on howto use kerberos with samba-tool 
       -k KERBEROS|--kerberos=KERBEROS
           Use Kerberos

who could guess its just.. -kyes or --kerberos=yes
Took me some time, this can be better phrased. 
Use kerberos auth (default :no )
       -k yes|--kerberos=yes

That simple change in the manual helps a lot. 

And using it like that. 
samba-tool dns query dc1 internal.domain.tld @ all -kyes |grep something

Works as expected. 

After a kdestroy the output isnt nice again.
samba-tool dns query dc1 internal.domain.tld @ all -k yes|grep something

cli_credentials_failed_kerberos_login: krb5_cc_get_principal failed: No such file or directory
Failed to bind to uuid 30cba4a2-372d-10c5-a53d-ee4fd5fba076 for ncacn_ip_tcp:192.168.0.11[49153,sign,target_hostname=dc1,abstract_syntax=30cba4a2-372d-10c5-a53d-ee4fd5fba076/0x00000005,localaddress=192.168.0.11] NT_STATUS_UNSUCCESSFUL
ERROR: Connecting to DNS RPC server dc1 failed with (3221225473, '{Operation Failed} The requested operation was unsuccessful.')
Comment 4 Rowland Penny 2020-08-04 14:57:10 UTC
And closing it again, it is not a bug, it is a lack of authentication, if you do not want to add the password before the pipe (the lack of which is causing the problem), then run kinit as root, replace '-U Administrator' with '-k yes' and it will work.