I use "net ads" often to get some informations against a 2003 AD. I use Kerberos mainly for such operations. With 3.3 release, there are some warnings which come up, because the code think it is running as root, but in some situations, for example as user with admin ticket, or when no tickets are present, this isn't the case $ LC_ALL=C net ads info [2009/04/08 12:02:06, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(914) create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.FBpr5C. Errno Permission denied [2009/04/08 12:02:06, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(914) create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.mWR6b1. Errno Permission denied LDAP server: 130....... If I add a stickybit on /var/cache/samba to allow the creation of the temporary file: $ LC_ALL=C net ads info [2009/04/08 12:03:15, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(950) create_local_private_krb5_conf_for_domain: rename of /var/cache/samba/smb_tmp_krb5.5TA6ut to /var/cache/samba/smb_krb5/krb5.conf.DPTINFO failed. Errno Operation not permitted [2009/04/08 12:03:15, 0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(950) create_local_private_krb5_conf_for_domain: rename of /var/cache/samba/smb_tmp_krb5.NN4Peh to /var/cache/samba/smb_krb5/krb5.conf.DPTINFO failed. Errno Operation not permitted LDAP server: 130.... /var/cache/samba/smb_krb5/krb5.conf.DPTINFO belongs to root (and the content is up to date)
Same issue here. Is a workaround or fix for this known? $ net user add test create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.pTujCV. Errno Permission denied create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.Csqnrk. Errno Permission denied Could not add user test: No such object
(In reply to devurandom from comment #1) > Could not add user test: No such object This line was a mistake of mine. The rest is still valid.
I think users without permission to write to the krb5.conf directory should really just not run net ads commands that generate krb5.conf files.