Jean-François Morcillo
2015-Feb-02 09:04 UTC
[Samba] Searching samba ldap without authentication
Hello,
I'm writing a set of python scripts that need to consult samba ldap
database without authentication.
I've set up 2 machines, the first as PDC, the second as BDC.
I run my scripts on both and while they run fine on the PDC they end
with error on the BDC.
Here is the minimal example that behave this way:
import ldap
LDAP_URI =
"ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi"
l = ldap.initialize(LDAP_URI, trace_level=1)
entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE)
print(entries)
it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation
unavailable without authentication', 'desc': 'Operations
error'}
What is very disturbing is that the equivalent using the ldapsearch
command works well (ldapsearch -x -H
ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b
dc=mon,dc=dom).
I've straced all commands (I could provide the log if required)
basically here what they showed :
-There is nearly no difference (nothing significant) between the traces
of the scripts on the PDC and the DBC.
-The diff between the trace of the script and the trace of the command
line tool shows this:
- on both side: connect(3, {sa_family=AF_LOCAL,
sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0
- then later, only in the script trace: connect(4,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("192.168.100.2")}, 16) = 0
So the reason for the script to end with an error is that it tries to
connect to the PDC while the command line tool does not do this.
The question is why do they behave differently and most important how to
make my script work?
I've been stuck with this for more than two days so I would really
appreciate help.
Regards,
--
- no title specified
Jean-Fran?ois
On 02/02/15 09:04, Jean-Fran?ois Morcillo wrote:> Hello, > > I'm writing a set of python scripts that need to consult samba ldap > database without authentication. > I've set up 2 machines, the first as PDC, the second as BDC. > I run my scripts on both and while they run fine on the PDC they end > with error on the BDC. > Here is the minimal example that behave this way: > > import ldap > LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" > > l = ldap.initialize(LDAP_URI, trace_level=1) > entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) > print(entries) > > it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation > unavailable without authentication', 'desc': 'Operations error'} > > > What is very disturbing is that the equivalent using the ldapsearch > command works well (ldapsearch -x -H > ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b > dc=mon,dc=dom). > > I've straced all commands (I could provide the log if required) > basically here what they showed : > -There is nearly no difference (nothing significant) between the traces > of the scripts on the PDC and the DBC. > -The diff between the trace of the script and the trace of the command > line tool shows this: > - on both side: connect(3, {sa_family=AF_LOCAL, > sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0 > - then later, only in the script trace: connect(4, > {sa_family=AF_INET, sin_port=htons(53), > sin_addr=inet_addr("192.168.100.2")}, 16) = 0 > > So the reason for the script to end with an error is that it tries to > connect to the PDC while the command line tool does not do this. > The question is why do they behave differently and most important how to > make my script work? > I've been stuck with this for more than two days so I would really > appreciate help. > > Regards, >Hi, just what are you trying to do? why use ldapi ? If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will get most of the AD objects, but this will only work on the DC, you will need to authenticate if you try it from another computer. Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's' Rowland
Jean-François Morcillo
2015-Feb-02 11:01 UTC
[Samba] Searching samba ldap without authentication
Le 02/02/2015 10:59, Rowland Penny a ?crit :> On 02/02/15 09:04, Jean-Fran?ois Morcillo wrote: >> Hello, >> >> I'm writing a set of python scripts that need to consult samba ldap >> database without authentication. >> I've set up 2 machines, the first as PDC, the second as BDC. >> I run my scripts on both and while they run fine on the PDC they end >> with error on the BDC. >> Here is the minimal example that behave this way: >> >> import ldap >> LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" >> >> l = ldap.initialize(LDAP_URI, trace_level=1) >> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) >> print(entries) >> >> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation >> unavailable without authentication', 'desc': 'Operations error'} >> >> >> What is very disturbing is that the equivalent using the ldapsearch >> command works well (ldapsearch -x -H >> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b >> dc=mon,dc=dom). >> >> I've straced all commands (I could provide the log if required) >> basically here what they showed : >> -There is nearly no difference (nothing significant) between the traces >> of the scripts on the PDC and the DBC. >> -The diff between the trace of the script and the trace of the command >> line tool shows this: >> - on both side: connect(3, {sa_family=AF_LOCAL, >> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0 >> - then later, only in the script trace: connect(4, >> {sa_family=AF_INET, sin_port=htons(53), >> sin_addr=inet_addr("192.168.100.2")}, 16) = 0 >> >> So the reason for the script to end with an error is that it tries to >> connect to the PDC while the command line tool does not do this. >> The question is why do they behave differently and most important how to >> make my script work? >> I've been stuck with this for more than two days so I would really >> appreciate help. >> >> Regards, >> > > Hi, just what are you trying to do? why use ldapi ?I need to monitor the db and sometimes write to it.> > If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will > get most of the AD objects, but this will only work on the DC, you > will need to authenticate if you try it from another computer.My scripts are run locally, I don't need to interact with another computer. I think I can't use /var/lib/samba/private/sam.ldb, as far as I understand I won't be able to modify, for example, the properties of users.> > Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's'Why do you say I don't have a 'PDC' and a 'BDC? Do you mean I have misconfigured them or that the distinction is useless? in the first case I would say : I've setup the PDC using the 'samba-tool domain provision <params>' and I've setup the BDC using 'samba-tool domain join <params>' in the second case I would say that this is the sole difference I see that could explain the different behaviour, that why I talked about it.> > Rowland >-- - no title specified Jean-Fran?ois