Jonathon Reinhart
2019-Apr-07  04:41 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Thanks for the example, Rowland. Does ldb work against remote servers as well? I thought it was only for local, file-based access. In general, I just wanted to use my Samba AD as an environment to learn more about writing software against using LDAP. There are a few applications I'm planning to develop, and I'd like to use actual LDAP so they could be applicable to Samba or Microsoft AD servers. I added some more information on the GitHub issue ( https://github.com/python-ldap/python-ldap/issues/275); it looks like there is some sort of nasty race condition, because while the LDAP search usually fails, it will work if I start an asynchronous search without waiting on it. I'm not sure if the problem lies in Samba's LDAP server, the python-gitlab library, or somewhere in between (possibly in the SASL or GSSAPI code). I'm still looking into it, but I wanted to see if anyone here had ever seen anything similar. Thanks, Jonathon Reinhart On Sat, Apr 6, 2019, 08:56 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 6 Apr 2019 04:52:38 -0400 > Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I'm writing in regards to this issue I opened on GitHub: > > https://github.com/python-ldap/python-ldap/issues/275 > > > > I am able to successfully use ldapsearch to query my Samba > > 4.9.4-Debian DC: > > > > ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b > > "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName" > > > > However, when I try to use python-ldap I get this error: > > > > 00002020: Operation unavailable without authentication > > > > I've traced ldapsearch and python using ltrace, and both seem to be > > making the same calls (ldap_sasl_interactive_bind_s and > > ldap_search_ext) and passing the same parameters. > > > > This feels like a bug in python-ldap, but I've been tracing this for > > hours and can't find anything which indicates that. I set my samba > > "log level" to 10 and grabbed a snapshot right around this query, but > > it's still 1.4M. In there, I do see this: > > > > ldb: ldb_trace_response: DONE > > error: 1 > > msg: Operation unavailable without authentication > > > > Am I missing something? Am I barking up the wrong tree? > > It might help if you explain just what you are trying to do ;-) > > Samba generally use 'ldb' to work with the AD database, for instance to > list users: > > class cmd_user_list(Command): > """List all users.""" > > synopsis = "%prog [options]" > > takes_options = [ > Option("-H", "--URL", help="LDB URL for database or target > server", type=str, > metavar="URL", dest="H"), > ] > > takes_optiongroups = { > "sambaopts": options.SambaOptions, > "credopts": options.CredentialsOptions, > "versionopts": options.VersionOptions, > } > > def run(self, sambaopts=None, credopts=None, versionopts=None, H=None): > lp = sambaopts.get_loadparm() > creds = credopts.get_credentials(lp, fallback_machine=True) > > samdb = SamDB(url=H, session_info=system_session(), > credentials=creds, lp=lp) > > domain_dn = samdb.domain_dn() > res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE, > > expression=("(&(objectClass=user)(userAccountControl:%s:=%u))" > % (ldb.OID_COMPARATOR_AND, > dsdb.UF_NORMAL_ACCOUNT)), > attrs=["samaccountname"]) > if (len(res) == 0): > return > > for msg in res: > self.outf.write("%s\n" % msg.get("samaccountname", idx=0)) > > You may just be trying to reinvent the wheel ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-07  08:24 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
On Sun, 7 Apr 2019 00:41:23 -0400 Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:> Thanks for the example, Rowland.Whilst it was an example, it was actual code lifted from Samba's user.py If you run 'samba-tool user list' on a DC, it is the actual code that is run.> > Does ldb work against remote servers as well? I thought it was only > for local, file-based access.Yes it does work on the wire, you can use samba-tool with the '-H' or '--URL=url' options. For instance 'sudo samba-tool user list -H ldap://dc4' run on a Unix domain member will list all users in AD.> > In general, I just wanted to use my Samba AD as an environment to > learn more about writing software against using LDAP. There are a few > applications I'm planning to develop, and I'd like to use actual LDAP > so they could be applicable to Samba or Microsoft AD servers.Can I suggest you examine the Samba source code, if you download the latest tarball: https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz Extract and open it, you will find a directory called 'python'> > I added some more information on the GitHub issue ( > https://github.com/python-ldap/python-ldap/issues/275); it looks like > there is some sort of nasty race condition, because while the LDAP > search usually fails, it will work if I start an asynchronous search > without waiting on it. > > I'm not sure if the problem lies in Samba's LDAP server, the > python-gitlab library, or somewhere in between (possibly in the SASL > or GSSAPI code). I'm still looking into it, but I wanted to see if > anyone here had ever seen anything similar.This is probably a python-ldap problem, but if you use ldbsearch etc, kerberos does work. The syntax is slightly different from ldapsearch, see 'ldbsearch --help' and: https://wiki.samba.org/index.php/LDB Rowland
Jonathon Reinhart
2019-Apr-07  17:45 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Interesting, I'm getting the same error using the LDB tools:
ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
ldap://localhost
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -
 <00002020: Operation unavailable without authentication> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line
533,
in run
    attrs=["samaccountname"])
ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost -b
'dc=ad,dc=onthefive,dc=com'
search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Operation
unavailable without authentication> <>
Prior to this, I did a fresh kdestroy / kinit.
It happens also on another Linux box. (Not yet "joined", but had a TGT
for
jreinhart-admin):
$ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
search error - 00002020: Operation unavailable without authentication
$ kinit Administrator at AD.ONTHEFIVE.COM
Password for Administrator at AD.ONTHEFIVE.COM:
$ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
search error - 00002020: Operation unavailable without authentication
For reference, here is my smb.conf:
# Global parameters
[global]
    dns forwarder = 10.0.1.1
    netbios name = SAMBA-DC3
    realm = AD.ONTHEFIVE.COM
    server role = active directory domain controller
    workgroup = ONTHEFIVE
    # Winbind settings
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    template homedir = /home/%D/%U
    kerberos method = system keytab
    #log level = 10
[netlogon]
    path = /var/lib/samba/sysvol/ad.onthefive.com/scripts
    read only = No
[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
On Sun, Apr 7, 2019 at 4:25 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 7 Apr 2019 00:41:23 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Thanks for the example, Rowland.
>
> Whilst it was an example, it was actual code lifted from Samba's
user.py
>
> If you run 'samba-tool user list' on a DC, it is the actual code
that
> is run.
>
> >
> > Does ldb work against remote servers as well?  I thought it was only
> > for local, file-based access.
>
> Yes it does work on the wire, you can use samba-tool with the '-H'
or
> '--URL=url' options.
>
> For instance 'sudo samba-tool user list -H ldap://dc4' run on a
Unix
> domain member will list all users in AD.
>
> >
> > In general, I just wanted to use my Samba AD as an environment to
> > learn more about writing software against using LDAP. There are a few
> > applications I'm planning to develop, and I'd like to use
actual LDAP
> > so they could be applicable to Samba or Microsoft AD servers.
>
> Can I suggest you examine the Samba source code, if you download the
> latest tarball:
> https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz
>
> Extract and open it, you will find a directory called 'python'
>
> >
> > I added some more information on the GitHub issue (
> > https://github.com/python-ldap/python-ldap/issues/275); it looks like
> > there is some sort of nasty race condition, because while the LDAP
> > search usually fails, it will work if I start an asynchronous search
> > without waiting on it.
> >
> > I'm not sure if the problem lies in Samba's LDAP server, the
> > python-gitlab library, or somewhere in between (possibly in the SASL
> > or GSSAPI code). I'm still looking into it, but I wanted to see if
> > anyone here had ever seen anything similar.
>
> This is probably a python-ldap problem, but if you use ldbsearch etc,
> kerberos does work. The syntax is slightly different from ldapsearch,
> see 'ldbsearch --help' and:
>
> https://wiki.samba.org/index.php/LDB
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Reasonably Related Threads
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- (no subject)
- "00002020: Operation unavailable without authentication" using python-ldap