Jonathon Reinhart
2019-Apr-07 04:41 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Thanks for the example, Rowland. Does ldb work against remote servers as well? I thought it was only for local, file-based access. In general, I just wanted to use my Samba AD as an environment to learn more about writing software against using LDAP. There are a few applications I'm planning to develop, and I'd like to use actual LDAP so they could be applicable to Samba or Microsoft AD servers. I added some more information on the GitHub issue ( https://github.com/python-ldap/python-ldap/issues/275); it looks like there is some sort of nasty race condition, because while the LDAP search usually fails, it will work if I start an asynchronous search without waiting on it. I'm not sure if the problem lies in Samba's LDAP server, the python-gitlab library, or somewhere in between (possibly in the SASL or GSSAPI code). I'm still looking into it, but I wanted to see if anyone here had ever seen anything similar. Thanks, Jonathon Reinhart On Sat, Apr 6, 2019, 08:56 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 6 Apr 2019 04:52:38 -0400 > Jonathon Reinhart via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I'm writing in regards to this issue I opened on GitHub: > > https://github.com/python-ldap/python-ldap/issues/275 > > > > I am able to successfully use ldapsearch to query my Samba > > 4.9.4-Debian DC: > > > > ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b > > "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName" > > > > However, when I try to use python-ldap I get this error: > > > > 00002020: Operation unavailable without authentication > > > > I've traced ldapsearch and python using ltrace, and both seem to be > > making the same calls (ldap_sasl_interactive_bind_s and > > ldap_search_ext) and passing the same parameters. > > > > This feels like a bug in python-ldap, but I've been tracing this for > > hours and can't find anything which indicates that. I set my samba > > "log level" to 10 and grabbed a snapshot right around this query, but > > it's still 1.4M. In there, I do see this: > > > > ldb: ldb_trace_response: DONE > > error: 1 > > msg: Operation unavailable without authentication > > > > Am I missing something? Am I barking up the wrong tree? > > It might help if you explain just what you are trying to do ;-) > > Samba generally use 'ldb' to work with the AD database, for instance to > list users: > > class cmd_user_list(Command): > """List all users.""" > > synopsis = "%prog [options]" > > takes_options = [ > Option("-H", "--URL", help="LDB URL for database or target > server", type=str, > metavar="URL", dest="H"), > ] > > takes_optiongroups = { > "sambaopts": options.SambaOptions, > "credopts": options.CredentialsOptions, > "versionopts": options.VersionOptions, > } > > def run(self, sambaopts=None, credopts=None, versionopts=None, H=None): > lp = sambaopts.get_loadparm() > creds = credopts.get_credentials(lp, fallback_machine=True) > > samdb = SamDB(url=H, session_info=system_session(), > credentials=creds, lp=lp) > > domain_dn = samdb.domain_dn() > res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE, > > expression=("(&(objectClass=user)(userAccountControl:%s:=%u))" > % (ldb.OID_COMPARATOR_AND, > dsdb.UF_NORMAL_ACCOUNT)), > attrs=["samaccountname"]) > if (len(res) == 0): > return > > for msg in res: > self.outf.write("%s\n" % msg.get("samaccountname", idx=0)) > > You may just be trying to reinvent the wheel ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-07 08:24 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
On Sun, 7 Apr 2019 00:41:23 -0400 Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:> Thanks for the example, Rowland.Whilst it was an example, it was actual code lifted from Samba's user.py If you run 'samba-tool user list' on a DC, it is the actual code that is run.> > Does ldb work against remote servers as well? I thought it was only > for local, file-based access.Yes it does work on the wire, you can use samba-tool with the '-H' or '--URL=url' options. For instance 'sudo samba-tool user list -H ldap://dc4' run on a Unix domain member will list all users in AD.> > In general, I just wanted to use my Samba AD as an environment to > learn more about writing software against using LDAP. There are a few > applications I'm planning to develop, and I'd like to use actual LDAP > so they could be applicable to Samba or Microsoft AD servers.Can I suggest you examine the Samba source code, if you download the latest tarball: https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz Extract and open it, you will find a directory called 'python'> > I added some more information on the GitHub issue ( > https://github.com/python-ldap/python-ldap/issues/275); it looks like > there is some sort of nasty race condition, because while the LDAP > search usually fails, it will work if I start an asynchronous search > without waiting on it. > > I'm not sure if the problem lies in Samba's LDAP server, the > python-gitlab library, or somewhere in between (possibly in the SASL > or GSSAPI code). I'm still looking into it, but I wanted to see if > anyone here had ever seen anything similar.This is probably a python-ldap problem, but if you use ldbsearch etc, kerberos does work. The syntax is slightly different from ldapsearch, see 'ldbsearch --help' and: https://wiki.samba.org/index.php/LDB Rowland
Jonathon Reinhart
2019-Apr-07 17:45 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Interesting, I'm getting the same error using the LDB tools: ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H ldap://localhost ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 533, in run attrs=["samaccountname"]) ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost -b 'dc=ad,dc=onthefive,dc=com' search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> Prior to this, I did a fresh kdestroy / kinit. It happens also on another Linux box. (Not yet "joined", but had a TGT for jreinhart-admin): $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com search error - 00002020: Operation unavailable without authentication $ kinit Administrator at AD.ONTHEFIVE.COM Password for Administrator at AD.ONTHEFIVE.COM: $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com search error - 00002020: Operation unavailable without authentication For reference, here is my smb.conf: # Global parameters [global] dns forwarder = 10.0.1.1 netbios name = SAMBA-DC3 realm = AD.ONTHEFIVE.COM server role = active directory domain controller workgroup = ONTHEFIVE # Winbind settings idmap_ldb:use rfc2307 = yes template shell = /bin/bash template homedir = /home/%D/%U kerberos method = system keytab #log level = 10 [netlogon] path = /var/lib/samba/sysvol/ad.onthefive.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No On Sun, Apr 7, 2019 at 4:25 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 7 Apr 2019 00:41:23 -0400 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > Thanks for the example, Rowland. > > Whilst it was an example, it was actual code lifted from Samba's user.py > > If you run 'samba-tool user list' on a DC, it is the actual code that > is run. > > > > > Does ldb work against remote servers as well? I thought it was only > > for local, file-based access. > > Yes it does work on the wire, you can use samba-tool with the '-H' or > '--URL=url' options. > > For instance 'sudo samba-tool user list -H ldap://dc4' run on a Unix > domain member will list all users in AD. > > > > > In general, I just wanted to use my Samba AD as an environment to > > learn more about writing software against using LDAP. There are a few > > applications I'm planning to develop, and I'd like to use actual LDAP > > so they could be applicable to Samba or Microsoft AD servers. > > Can I suggest you examine the Samba source code, if you download the > latest tarball: > https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz > > Extract and open it, you will find a directory called 'python' > > > > > I added some more information on the GitHub issue ( > > https://github.com/python-ldap/python-ldap/issues/275); it looks like > > there is some sort of nasty race condition, because while the LDAP > > search usually fails, it will work if I start an asynchronous search > > without waiting on it. > > > > I'm not sure if the problem lies in Samba's LDAP server, the > > python-gitlab library, or somewhere in between (possibly in the SASL > > or GSSAPI code). I'm still looking into it, but I wanted to see if > > anyone here had ever seen anything similar. > > This is probably a python-ldap problem, but if you use ldbsearch etc, > kerberos does work. The syntax is slightly different from ldapsearch, > see 'ldbsearch --help' and: > > https://wiki.samba.org/index.php/LDB > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- (no subject)
- "00002020: Operation unavailable without authentication" using python-ldap