Jean-François Morcillo
2015-Feb-02 11:01 UTC
[Samba] Searching samba ldap without authentication
Le 02/02/2015 10:59, Rowland Penny a ?crit :> On 02/02/15 09:04, Jean-Fran?ois Morcillo wrote: >> Hello, >> >> I'm writing a set of python scripts that need to consult samba ldap >> database without authentication. >> I've set up 2 machines, the first as PDC, the second as BDC. >> I run my scripts on both and while they run fine on the PDC they end >> with error on the BDC. >> Here is the minimal example that behave this way: >> >> import ldap >> LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" >> >> l = ldap.initialize(LDAP_URI, trace_level=1) >> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) >> print(entries) >> >> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation >> unavailable without authentication', 'desc': 'Operations error'} >> >> >> What is very disturbing is that the equivalent using the ldapsearch >> command works well (ldapsearch -x -H >> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b >> dc=mon,dc=dom). >> >> I've straced all commands (I could provide the log if required) >> basically here what they showed : >> -There is nearly no difference (nothing significant) between the traces >> of the scripts on the PDC and the DBC. >> -The diff between the trace of the script and the trace of the command >> line tool shows this: >> - on both side: connect(3, {sa_family=AF_LOCAL, >> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0 >> - then later, only in the script trace: connect(4, >> {sa_family=AF_INET, sin_port=htons(53), >> sin_addr=inet_addr("192.168.100.2")}, 16) = 0 >> >> So the reason for the script to end with an error is that it tries to >> connect to the PDC while the command line tool does not do this. >> The question is why do they behave differently and most important how to >> make my script work? >> I've been stuck with this for more than two days so I would really >> appreciate help. >> >> Regards, >> > > Hi, just what are you trying to do? why use ldapi ?I need to monitor the db and sometimes write to it.> > If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will > get most of the AD objects, but this will only work on the DC, you > will need to authenticate if you try it from another computer.My scripts are run locally, I don't need to interact with another computer. I think I can't use /var/lib/samba/private/sam.ldb, as far as I understand I won't be able to modify, for example, the properties of users.> > Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's'Why do you say I don't have a 'PDC' and a 'BDC? Do you mean I have misconfigured them or that the distinction is useless? in the first case I would say : I've setup the PDC using the 'samba-tool domain provision <params>' and I've setup the BDC using 'samba-tool domain join <params>' in the second case I would say that this is the sole difference I see that could explain the different behaviour, that why I talked about it.> > Rowland >-- - no title specified Jean-Fran?ois
On 02/02/15 11:01, Jean-Fran?ois Morcillo wrote:> Le 02/02/2015 10:59, Rowland Penny a ?crit : >> On 02/02/15 09:04, Jean-Fran?ois Morcillo wrote: >>> Hello, >>> >>> I'm writing a set of python scripts that need to consult samba ldap >>> database without authentication. >>> I've set up 2 machines, the first as PDC, the second as BDC. >>> I run my scripts on both and while they run fine on the PDC they end >>> with error on the BDC. >>> Here is the minimal example that behave this way: >>> >>> import ldap >>> LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" >>> >>> l = ldap.initialize(LDAP_URI, trace_level=1) >>> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) >>> print(entries) >>> >>> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation >>> unavailable without authentication', 'desc': 'Operations error'} >>> >>> >>> What is very disturbing is that the equivalent using the ldapsearch >>> command works well (ldapsearch -x -H >>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b >>> dc=mon,dc=dom). >>> >>> I've straced all commands (I could provide the log if required) >>> basically here what they showed : >>> -There is nearly no difference (nothing significant) between the traces >>> of the scripts on the PDC and the DBC. >>> -The diff between the trace of the script and the trace of the command >>> line tool shows this: >>> - on both side: connect(3, {sa_family=AF_LOCAL, >>> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0 >>> - then later, only in the script trace: connect(4, >>> {sa_family=AF_INET, sin_port=htons(53), >>> sin_addr=inet_addr("192.168.100.2")}, 16) = 0 >>> >>> So the reason for the script to end with an error is that it tries to >>> connect to the PDC while the command line tool does not do this. >>> The question is why do they behave differently and most important how to >>> make my script work? >>> I've been stuck with this for more than two days so I would really >>> appreciate help. >>> >>> Regards, >>> >> Hi, just what are you trying to do? why use ldapi ? > I need to monitor the db and sometimes write to it. > >> If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will >> get most of the AD objects, but this will only work on the DC, you >> will need to authenticate if you try it from another computer. > My scripts are run locally, I don't need to interact with another computer. > I think I can't use /var/lib/samba/private/sam.ldb, as far as I > understand I won't be able to modify, for example, the properties of users.Well, seeing as all the user properties are stored in sam.ldb and *everybody* else modifies this when needed, leads me to believe that you need to go and do a lot more reading on samba4 in AD mode, the samba wiki would be a good place to start. From your email address, I have a sinking feeling that Mandriva has arrived at the Samba4 party :-D> >> Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's' > Why do you say I don't have a 'PDC' and a 'BDC? > Do you mean I have misconfigured them or that the distinction is useless? > in the first case I would say : I've setup the PDC using the 'samba-tool > domain provision <params>' and I've setup the BDC using 'samba-tool > domain join <params>' > in the second case I would say that this is the sole difference I see > that could explain the different behaviour, that why I talked about it. >OK, PDC = NT4 style domain controller BDC = NT4 style backup domain controller Provisioning Samba4 with samba-tool = AD DC joining Samba4 to another AD DC with samba-tool = another AD DC Apart from the FSMO roles, *all* AD DC's are equal. Please do not refer to your AD DC's as NT4 PDC's or NT4 BDC's, this will only lead to confusion. Rowland
Jean-François Morcillo
2015-Feb-02 13:55 UTC
[Samba] Searching samba ldap without authentication
Le 02/02/2015 12:20, Rowland Penny a ?crit :> On 02/02/15 11:01, Jean-Fran?ois Morcillo wrote: >> Le 02/02/2015 10:59, Rowland Penny a ?crit : >>> On 02/02/15 09:04, Jean-Fran?ois Morcillo wrote: >>>> Hello, >>>> >>>> I'm writing a set of python scripts that need to consult samba ldap >>>> database without authentication. >>>> I've set up 2 machines, the first as PDC, the second as BDC. >>>> I run my scripts on both and while they run fine on the PDC they end >>>> with error on the BDC. >>>> Here is the minimal example that behave this way: >>>> >>>> import ldap >>>> LDAP_URI >>>> "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" >>>> >>>> l = ldap.initialize(LDAP_URI, trace_level=1) >>>> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) >>>> print(entries) >>>> >>>> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation >>>> unavailable without authentication', 'desc': 'Operations error'} >>>> >>>> >>>> What is very disturbing is that the equivalent using the ldapsearch >>>> command works well (ldapsearch -x -H >>>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b >>>> dc=mon,dc=dom). >>>> >>>> I've straced all commands (I could provide the log if required) >>>> basically here what they showed : >>>> -There is nearly no difference (nothing significant) between the >>>> traces >>>> of the scripts on the PDC and the DBC. >>>> -The diff between the trace of the script and the trace of the command >>>> line tool shows this: >>>> - on both side: connect(3, {sa_family=AF_LOCAL, >>>> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0 >>>> - then later, only in the script trace: connect(4, >>>> {sa_family=AF_INET, sin_port=htons(53), >>>> sin_addr=inet_addr("192.168.100.2")}, 16) = 0 >>>> >>>> So the reason for the script to end with an error is that it tries to >>>> connect to the PDC while the command line tool does not do this. >>>> The question is why do they behave differently and most important >>>> how to >>>> make my script work? >>>> I've been stuck with this for more than two days so I would really >>>> appreciate help. >>>> >>>> Regards, >>>> >>> Hi, just what are you trying to do? why use ldapi ? >> I need to monitor the db and sometimes write to it. >> >>> If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will >>> get most of the AD objects, but this will only work on the DC, you >>> will need to authenticate if you try it from another computer. >> My scripts are run locally, I don't need to interact with another >> computer. >> I think I can't use /var/lib/samba/private/sam.ldb, as far as I >> understand I won't be able to modify, for example, the properties of >> users. > > Well, seeing as all the user properties are stored in sam.ldb and > *everybody* else modifies this when needed, leads me to believe that > you need to go and do a lot more reading on samba4 in AD mode, the > samba wiki would be a good place to start.Ok, thank you I had seen how to create users, but I missed how to modify properties, I'm gonna check this. Anyway, any idea why the python script tries to connect to the remote AD, while the command line tool only connect to the local AD?> > From your email address, I have a sinking feeling that Mandriva has > arrived at the Samba4 party :-DYou're right :) Let say we were late in this area and hope to be up to date very soon.> >> >>> Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's' >> Why do you say I don't have a 'PDC' and a 'BDC? >> Do you mean I have misconfigured them or that the distinction is >> useless? >> in the first case I would say : I've setup the PDC using the 'samba-tool >> domain provision <params>' and I've setup the BDC using 'samba-tool >> domain join <params>' >> in the second case I would say that this is the sole difference I see >> that could explain the different behaviour, that why I talked about it. >> > > OK, > PDC = NT4 style domain controller > BDC = NT4 style backup domain controller > > Provisioning Samba4 with samba-tool = AD DC > joining Samba4 to another AD DC with samba-tool = another AD DC > > Apart from the FSMO roles, *all* AD DC's are equal. Please do not > refer to your AD DC's as NT4 PDC's or NT4 BDC's, this will only lead > to confusion.Ok, thank you, I'm sorry for the confusion introduced by the old-school names, it was the only way for me to express the small difference between the machines. -- - no title specified Jean-Fran?ois