samba - Sep 2015 - ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication

Hi,

I'd like to use ldbadd with kerberos authentication using samba
4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being
processed. Executing...

kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab

root at dc01:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at INTERNAL.DOMAIN.TLD

Valid starting     Expires            Service principal
09/01/15 20:36:16  09/02/15 06:36:16
 krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
renew until 09/02/15 20:36:16

root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF
dn: CN=Groups,DC=internal,DC=domain,DC=tld
objectClass: container
objectClass: top
cn: Groups
objectCategory:
CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld
description: Default container for upgraded group accounts
EOF

results in:
ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020:
Operation unavailable without authentication> <>" on DN
CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6

Anybody else who has the same problem? Or could somebody enlighten me, what
I'm doing wrong here?

btw: ldbadd -U DOMAIN/User%password ... works.

Thanks in advance for any hint.

Regards

On 01/09/15 21:59, Quirin Maier wrote:
> Hi,
>
> I'd like to use ldbadd with kerberos authentication using samba
> 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being
> processed. Executing...
>
> kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab
>
> root at dc01:/# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at INTERNAL.DOMAIN.TLD
>
> Valid starting     Expires            Service principal
> 09/01/15 20:36:16  09/02/15 06:36:16
>   krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> renew until 09/02/15 20:36:16
>
> root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF
> dn: CN=Groups,DC=internal,DC=domain,DC=tld
> objectClass: container
> objectClass: top
> cn: Groups
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld
> description: Default container for upgraded group accounts
> EOF
>
> results in:
> ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020:
> Operation unavailable without authentication> <>" on DN
> CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6
>
> Anybody else who has the same problem? Or could somebody enlighten me, what
> I'm doing wrong here?
>
> btw: ldbadd -U DOMAIN/User%password ... works.
>
> Thanks in advance for any hint.
>
> Regards
OK, firstly I would create a user to use with ldb-tools instead of using 
Administrator:

samba-tool user create admin --random-password 
--description="Unprivileged user for ldb-tools"

Next, set user to not expire:

samba-tool user setexpiry admin --noexpiry

You now need to export the users keytab:

samba-tool domain exportkeytab /etc/admin.keytab --principal=admin

Now you have the keytab you can now run kinit and create the ticket cache:

kinit -F -k -t /etc/admin.keytab -c /tmp/krb5cc_admin admin at UREALM # 
<--change 'UREALM' to your uppercase realm name

finally you can run run ldbadd command:

ldbadd ldap://localhost --kerberos=yes --krb5-ccache=/tmp/krb5cc_admin 
<< EOF
......


HTH

Rowland

2015-09-01 23:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 01/09/15 21:59, Quirin Maier wrote:
>
>> Hi,
>>
>> I'd like to use ldbadd with kerberos authentication using samba
>> 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being
>> processed. Executing...
>>
>> kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab
>>
>> root at dc01:/# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at INTERNAL.DOMAIN.TLD
>>
>> Valid starting     Expires            Service principal
>> 09/01/15 20:36:16  09/02/15 06:36:16
>>   krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>> renew until 09/02/15 20:36:16
>>
>> root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF
>> dn: CN=Groups,DC=internal,DC=domain,DC=tld
>> objectClass: container
>> objectClass: top
>> cn: Groups
>> objectCategory:
>> CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld
>> description: Default container for upgraded group accounts
>> EOF
>>
>> results in:
>> ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020:
>> Operation unavailable without authentication> <>" on DN
>> CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6
>>
>> Anybody else who has the same problem? Or could somebody enlighten me,
>> what
>> I'm doing wrong here?
>>
>> btw: ldbadd -U DOMAIN/User%password ... works.
>>
>> Thanks in advance for any hint.
>>
>> Regards
>>
>
> OK, firstly I would create a user to use with ldb-tools instead of using
> Administrator:
>
> samba-tool user create admin --random-password
--description="Unprivileged
> user for ldb-tools"
>
> Next, set user to not expire:
>
> samba-tool user setexpiry admin --noexpiry
>
> You now need to export the users keytab:
>
> samba-tool domain exportkeytab /etc/admin.keytab --principal=admin
>
> Now you have the keytab you can now run kinit and create the ticket cache:
>
> kinit -F -k -t /etc/admin.keytab -c /tmp/krb5cc_admin admin at UREALM #
> <--change 'UREALM' to your uppercase realm name
>
> finally you can run run ldbadd command:
>
> ldbadd ldap://localhost --kerberos=yes --krb5-ccache=/tmp/krb5cc_admin
<<
> EOF
> ......
>
>
> HTH
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Rowland,

I've tried your solution, but unfortunately I received same error again :-(

ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020:
Operation unavailable without authentication> <>" on DN
CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6

@all: anybody out there on debian jessie with sernet samba packages 4.2.3,
who could try Rowland's solution and give feedback?

Quirin

On Tue, 2015-09-01 at 22:59 +0200, Quirin Maier wrote:
> Hi,
> 
> I'd like to use ldbadd with kerberos authentication using samba
> 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not
> being
> processed. Executing...
> 
> kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab
> 
> root at dc01:/# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at INTERNAL.DOMAIN.TLD
> 
> Valid starting     Expires            Service principal
> 09/01/15 20:36:16  09/02/15 06:36:16
>  krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> renew until 09/02/15 20:36:16
> 
> root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF
> dn: CN=Groups,DC=internal,DC=domain,DC=tld
> objectClass: container
> objectClass: top
> cn: Groups
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld
> description: Default container for upgraded group accounts
> EOF
> 
> results in:
> ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - 
>  <00002020:
> Operation unavailable without authentication> <>" on DN
> CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6
> 
> Anybody else who has the same problem? Or could somebody enlighten
> me, what
> I'm doing wrong here?
> 
> btw: ldbadd -U DOMAIN/User%password ... works.
This looks like https://bugzilla.samba.org/show_bug.cgi?id=11265 which
should be in the next 4.2 release.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba