Jean-François Morcillo
2015-Feb-02 13:55 UTC
[Samba] Searching samba ldap without authentication
Le 02/02/2015 12:20, Rowland Penny a ?crit :> On 02/02/15 11:01, Jean-Fran?ois Morcillo wrote: >> Le 02/02/2015 10:59, Rowland Penny a ?crit : >>> On 02/02/15 09:04, Jean-Fran?ois Morcillo wrote: >>>> Hello, >>>> >>>> I'm writing a set of python scripts that need to consult samba ldap >>>> database without authentication. >>>> I've set up 2 machines, the first as PDC, the second as BDC. >>>> I run my scripts on both and while they run fine on the PDC they end >>>> with error on the BDC. >>>> Here is the minimal example that behave this way: >>>> >>>> import ldap >>>> LDAP_URI >>>> "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" >>>> >>>> l = ldap.initialize(LDAP_URI, trace_level=1) >>>> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) >>>> print(entries) >>>> >>>> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation >>>> unavailable without authentication', 'desc': 'Operations error'} >>>> >>>> >>>> What is very disturbing is that the equivalent using the ldapsearch >>>> command works well (ldapsearch -x -H >>>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b >>>> dc=mon,dc=dom). >>>> >>>> I've straced all commands (I could provide the log if required) >>>> basically here what they showed : >>>> -There is nearly no difference (nothing significant) between the >>>> traces >>>> of the scripts on the PDC and the DBC. >>>> -The diff between the trace of the script and the trace of the command >>>> line tool shows this: >>>> - on both side: connect(3, {sa_family=AF_LOCAL, >>>> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0 >>>> - then later, only in the script trace: connect(4, >>>> {sa_family=AF_INET, sin_port=htons(53), >>>> sin_addr=inet_addr("192.168.100.2")}, 16) = 0 >>>> >>>> So the reason for the script to end with an error is that it tries to >>>> connect to the PDC while the command line tool does not do this. >>>> The question is why do they behave differently and most important >>>> how to >>>> make my script work? >>>> I've been stuck with this for more than two days so I would really >>>> appreciate help. >>>> >>>> Regards, >>>> >>> Hi, just what are you trying to do? why use ldapi ? >> I need to monitor the db and sometimes write to it. >> >>> If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will >>> get most of the AD objects, but this will only work on the DC, you >>> will need to authenticate if you try it from another computer. >> My scripts are run locally, I don't need to interact with another >> computer. >> I think I can't use /var/lib/samba/private/sam.ldb, as far as I >> understand I won't be able to modify, for example, the properties of >> users. > > Well, seeing as all the user properties are stored in sam.ldb and > *everybody* else modifies this when needed, leads me to believe that > you need to go and do a lot more reading on samba4 in AD mode, the > samba wiki would be a good place to start.Ok, thank you I had seen how to create users, but I missed how to modify properties, I'm gonna check this. Anyway, any idea why the python script tries to connect to the remote AD, while the command line tool only connect to the local AD?> > From your email address, I have a sinking feeling that Mandriva has > arrived at the Samba4 party :-DYou're right :) Let say we were late in this area and hope to be up to date very soon.> >> >>> Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's' >> Why do you say I don't have a 'PDC' and a 'BDC? >> Do you mean I have misconfigured them or that the distinction is >> useless? >> in the first case I would say : I've setup the PDC using the 'samba-tool >> domain provision <params>' and I've setup the BDC using 'samba-tool >> domain join <params>' >> in the second case I would say that this is the sole difference I see >> that could explain the different behaviour, that why I talked about it. >> > > OK, > PDC = NT4 style domain controller > BDC = NT4 style backup domain controller > > Provisioning Samba4 with samba-tool = AD DC > joining Samba4 to another AD DC with samba-tool = another AD DC > > Apart from the FSMO roles, *all* AD DC's are equal. Please do not > refer to your AD DC's as NT4 PDC's or NT4 BDC's, this will only lead > to confusion.Ok, thank you, I'm sorry for the confusion introduced by the old-school names, it was the only way for me to express the small difference between the machines. -- - no title specified Jean-Fran?ois
On 02/02/15 13:55, Jean-Fran?ois Morcillo wrote> Ok, thank you I had seen how to create users, but I missed how to modify > properties, I'm gonna check this. > Anyway, any idea why the python script tries to connect to the remote > AD, while the command line tool only connect to the local AD?Probably because you are connecting via ldapi, try the ldb-tools instead, you can search on the DC without a password, adding or modifying requires a password. You may be duplicating the work done on samba-tool, I would suggest that you investigate this python tool before you go much further, no point in re-inventing the wheel, is there :-)> You're right :) > Let say we were late in this area and hope to be up to date very soon.I hope so, 3.6 is about to EOL when 4.2 comes out.> Ok, thank you, I'm sorry for the confusion introduced by the old-school > names, it was the only way for me to express the small difference > between the machines. >I understand what you mean, but it is better to get into the habit of just referring to them as DC's as samba4 can still be setup as an NT4 PDC. As far as I know, there is no microsoft obsolete policy on samba, things are only removed when nobody is using them or are no longer required. Rowland
Jean-François Morcillo
2015-Feb-02 15:37 UTC
[Samba] Searching samba ldap without authentication
Le 02/02/2015 15:48, Rowland Penny a ?crit :> On 02/02/15 13:55, Jean-Fran?ois Morcillo wrote > >> Ok, thank you I had seen how to create users, but I missed how to modify >> properties, I'm gonna check this. >> Anyway, any idea why the python script tries to connect to the remote >> AD, while the command line tool only connect to the local AD? > > Probably because you are connecting via ldapi, try the ldb-tools > instead, you can search on the DC without a password, adding or > modifying requires a password. You may be duplicating the work done on > samba-tool, I would suggest that you investigate this python tool > before you go much further, no point in re-inventing the wheel, is > there :-) >Sure reinventing the wheel is a non sense, it was not my choice. I'll have a deeper look into samba-tool. Just for information, here is how to make the script work correctly: import ldap LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi" l = ldap.initialize(LDAP_URI, trace_level=1) ***********l.set_option(ldap.OPT_REFERRALS, 0)* entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE) print(entries)> > >> You're right :) >> Let say we were late in this area and hope to be up to date very soon. > > I hope so, 3.6 is about to EOL when 4.2 comes out.We are currently providing version 4.1.14 :)> > >> Ok, thank you, I'm sorry for the confusion introduced by the old-school >> names, it was the only way for me to express the small difference >> between the machines. >> > > I understand what you mean, but it is better to get into the habit of > just referring to them as DC's as samba4 can still be setup as an NT4 > PDC. As far as I know, there is no microsoft obsolete policy on samba, > things are only removed when nobody is using them or are no longer > required.Thank you, i'll be more precise next time :)> > Rowland > > >-- - no title specified Jean-Fran?ois