gjSSKrSSKJr SSKJrJr SSKJr SSK J r J r J r SSK Jr "SS\ 5rg) N) CommandErrorOption) Credentials)GetPasswordCommand gpg_decryptdecrypt_samba_gpg_help)samrc \rSrSrSrSr\R\R\R\RS.r \ "SS\ S9\ "S\ S S S S 9\ "S \SSSS9/rS/rSSjrSrg)cmd_user_get_kerberos_ticket"awGet a Kerberos Ticket Granting Ticket as a user This command gets a Kerberos TGT using the password for a user/computer account. The username specified on the command is the sAMAccountName. The username may also be specified using the --filter option. The command must be run from the root user id or another authorized user id. The '-H' or '--URL' option supports ldap:// for remote Group Managed Service accounts, and ldapi:// or tdb:// can be used to adjust the local path. tdb:// is used by default for a bare path. The --output-krb5-ccache option should point to a location for the credentials cache. The default is a FILE: type cache if no prefix is specified. The '--decrypt-samba-gpg' option triggers decryption of the Primary:SambaGPG buffer to get the password. Check with '--help' if this feature is available in your environment or not (the python-gpgme package is required). Please note that you might need to set the GNUPGHOME environment variable. If the decryption key has a passphrase you have to make sure that the GPG_AGENT_INFO environment variable has been set correctly and the passphrase is already known by the gpg-agent. Example1: samba-tool user get-kerberos-ticket TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache Example2: samba-tool user get-kerberos-ticket --filter='(samAccountName=TestUser3)' --output-krb5-ccache=FILE:/srv/service/krb5_ccache z.%prog (|--filter ) [options]) sambaopts versionoptscredoptshostoptsz--filterzBLDAP Filter to get Kerberos ticket for (must match single account))helptypez--output-krb5-ccachez;Location of Kerberos credentials cache to write ticket intoCCACHEoutput_krb5_ccache)rrmetavardestz--decrypt-samba-gpg store_trueFdecrypt_samba_gpg)ractiondefaultrz username?Nc UR5UlU(a[(d[[5eUcUc [S5eUcS[ R "U5-n/SQn U RUR5n URURSU S9n URXSU[ RU US9nUR5n[5n U R[USS55 U RU R!55 UR#S SS 9nUR#S SS 9nUbU R%U5 OUb7[&R("5n[+U5UlU R/U5 OVU R0R3S 5(d U R0R3S 5(a [S5e[S5eU R5U5 U R7X5 g)Nz4Either the username or '--filter' must be specified!z((&(objectClass=user)(sAMAccountName=%s)))virtualClearTextUTF16samAccountName unicodePwdF)url require_ldapicreds)basednfilterscopeattrsdecryptrrr)idxrzldap://zldaps://zNo password was available for this user. Only Group Managed Service accounts allow access to passwords over LDAP, you may need to access the sam.ldb directly on the Samba AD DC and export the file.z'No password was available for this user) get_loadparmlprrr ldb binary_encodeget_credentialsconnect_for_passwordsHget_account_attributes SCOPE_SUBTREEr set_usernamestr set_realmdomain_dns_namegetset_utf16_passwordr Passwordlisthash set_nt_hashr startswithguessget_named_ccache)selfusernamer/r$ attributesrrrrrrpassword_attrsr"samdbobjlp_ctxutf16_pwnt_passnt_hashs U/usr/lib/python3/dist-packages/samba/netcmd/user/readpasswords/get_kerberos_ticket.pyrun cmd_user_get_kerberos_ticket.runYs((* [[56 6 >h.UV V >?3CTCTU]C^_FR((1**xzzV[*\))%1517030A0A0>2C *E'')  3s#34Q789 --/07727:'',A'.    $ $X .  mmoG=GL   g &yy##I..%))2F2Fz2R2R"$yzz##LMM F v:)r*) NNNNNNNNNN)__name__ __module__ __qualname____firstlineno____doc__synopsisoptions SambaOptionsVersionOptionsCredentialsOptions HostOptionstakes_optiongroupsrr3r takes_options takes_argsrJ__static_attributes__rLrIr r "s B@H))--..''  z dkno%CQ&: < $*"E8K M MJ04/37;.21;rLr )r+ samba.getoptgetoptrS samba.netcmdrrsamba.credentialsrcommonrrr samba.dcerpcr r r\rLrIrcs1. -) h;#5h;rL