Jonathon Reinhart
2019-Apr-06 08:52 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Hello, I'm writing in regards to this issue I opened on GitHub: https://github.com/python-ldap/python-ldap/issues/275 I am able to successfully use ldapsearch to query my Samba 4.9.4-Debian DC: ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName" However, when I try to use python-ldap I get this error: 00002020: Operation unavailable without authentication I've traced ldapsearch and python using ltrace, and both seem to be making the same calls (ldap_sasl_interactive_bind_s and ldap_search_ext) and passing the same parameters. This feels like a bug in python-ldap, but I've been tracing this for hours and can't find anything which indicates that. I set my samba "log level" to 10 and grabbed a snapshot right around this query, but it's still 1.4M. In there, I do see this: ldb: ldb_trace_response: DONE error: 1 msg: Operation unavailable without authentication Am I missing something? Am I barking up the wrong tree? Thank you, Jonathon
Rowland Penny
2019-Apr-06 12:55 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
On Sat, 6 Apr 2019 04:52:38 -0400 Jonathon Reinhart via samba <samba at lists.samba.org> wrote:> Hello, > > I'm writing in regards to this issue I opened on GitHub: > https://github.com/python-ldap/python-ldap/issues/275 > > I am able to successfully use ldapsearch to query my Samba > 4.9.4-Debian DC: > > ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b > "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName" > > However, when I try to use python-ldap I get this error: > > 00002020: Operation unavailable without authentication > > I've traced ldapsearch and python using ltrace, and both seem to be > making the same calls (ldap_sasl_interactive_bind_s and > ldap_search_ext) and passing the same parameters. > > This feels like a bug in python-ldap, but I've been tracing this for > hours and can't find anything which indicates that. I set my samba > "log level" to 10 and grabbed a snapshot right around this query, but > it's still 1.4M. In there, I do see this: > > ldb: ldb_trace_response: DONE > error: 1 > msg: Operation unavailable without authentication > > Am I missing something? Am I barking up the wrong tree?It might help if you explain just what you are trying to do ;-) Samba generally use 'ldb' to work with the AD database, for instance to list users: class cmd_user_list(Command): """List all users.""" synopsis = "%prog [options]" takes_options = [ Option("-H", "--URL", help="LDB URL for database or target server", type=str, metavar="URL", dest="H"), ] takes_optiongroups = { "sambaopts": options.SambaOptions, "credopts": options.CredentialsOptions, "versionopts": options.VersionOptions, } def run(self, sambaopts=None, credopts=None, versionopts=None, H=None): lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp, fallback_machine=True) samdb = SamDB(url=H, session_info=system_session(), credentials=creds, lp=lp) domain_dn = samdb.domain_dn() res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE, expression=("(&(objectClass=user)(userAccountControl:%s:=%u))" % (ldb.OID_COMPARATOR_AND, dsdb.UF_NORMAL_ACCOUNT)), attrs=["samaccountname"]) if (len(res) == 0): return for msg in res: self.outf.write("%s\n" % msg.get("samaccountname", idx=0)) You may just be trying to reinvent the wheel ;-) Rowland
Jonathon Reinhart
2019-Apr-07 04:41 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Thanks for the example, Rowland. Does ldb work against remote servers as well? I thought it was only for local, file-based access. In general, I just wanted to use my Samba AD as an environment to learn more about writing software against using LDAP. There are a few applications I'm planning to develop, and I'd like to use actual LDAP so they could be applicable to Samba or Microsoft AD servers. I added some more information on the GitHub issue ( https://github.com/python-ldap/python-ldap/issues/275); it looks like there is some sort of nasty race condition, because while the LDAP search usually fails, it will work if I start an asynchronous search without waiting on it. I'm not sure if the problem lies in Samba's LDAP server, the python-gitlab library, or somewhere in between (possibly in the SASL or GSSAPI code). I'm still looking into it, but I wanted to see if anyone here had ever seen anything similar. Thanks, Jonathon Reinhart On Sat, Apr 6, 2019, 08:56 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 6 Apr 2019 04:52:38 -0400 > Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I'm writing in regards to this issue I opened on GitHub: > > https://github.com/python-ldap/python-ldap/issues/275 > > > > I am able to successfully use ldapsearch to query my Samba > > 4.9.4-Debian DC: > > > > ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b > > "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName" > > > > However, when I try to use python-ldap I get this error: > > > > 00002020: Operation unavailable without authentication > > > > I've traced ldapsearch and python using ltrace, and both seem to be > > making the same calls (ldap_sasl_interactive_bind_s and > > ldap_search_ext) and passing the same parameters. > > > > This feels like a bug in python-ldap, but I've been tracing this for > > hours and can't find anything which indicates that. I set my samba > > "log level" to 10 and grabbed a snapshot right around this query, but > > it's still 1.4M. In there, I do see this: > > > > ldb: ldb_trace_response: DONE > > error: 1 > > msg: Operation unavailable without authentication > > > > Am I missing something? Am I barking up the wrong tree? > > It might help if you explain just what you are trying to do ;-) > > Samba generally use 'ldb' to work with the AD database, for instance to > list users: > > class cmd_user_list(Command): > """List all users.""" > > synopsis = "%prog [options]" > > takes_options = [ > Option("-H", "--URL", help="LDB URL for database or target > server", type=str, > metavar="URL", dest="H"), > ] > > takes_optiongroups = { > "sambaopts": options.SambaOptions, > "credopts": options.CredentialsOptions, > "versionopts": options.VersionOptions, > } > > def run(self, sambaopts=None, credopts=None, versionopts=None, H=None): > lp = sambaopts.get_loadparm() > creds = credopts.get_credentials(lp, fallback_machine=True) > > samdb = SamDB(url=H, session_info=system_session(), > credentials=creds, lp=lp) > > domain_dn = samdb.domain_dn() > res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE, > > expression=("(&(objectClass=user)(userAccountControl:%s:=%u))" > % (ldb.OID_COMPARATOR_AND, > dsdb.UF_NORMAL_ACCOUNT)), > attrs=["samaccountname"]) > if (len(res) == 0): > return > > for msg in res: > self.outf.write("%s\n" % msg.get("samaccountname", idx=0)) > > You may just be trying to reinvent the wheel ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Samba4 Patch: newuseradv and newgroupadv scripts for net cmd utlity
- "00002020: Operation unavailable without authentication" using python-ldap
- Have options changed for "samba-tool domain provision"
- "00002020: Operation unavailable without authentication" using python-ldap
- Failed to bind to uuid NT_STATUS_LOGON_FAILURE