Quirin Maier
2015-Sep-01 20:59 UTC
[Samba] ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication
Hi, I'd like to use ldbadd with kerberos authentication using samba 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being processed. Executing... kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab root at dc01:/# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at INTERNAL.DOMAIN.TLD Valid starting Expires Service principal 09/01/15 20:36:16 09/02/15 06:36:16 krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD renew until 09/02/15 20:36:16 root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF dn: CN=Groups,DC=internal,DC=domain,DC=tld objectClass: container objectClass: top cn: Groups objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld description: Default container for upgraded group accounts EOF results in: ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <>" on DN CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6 Anybody else who has the same problem? Or could somebody enlighten me, what I'm doing wrong here? btw: ldbadd -U DOMAIN/User%password ... works. Thanks in advance for any hint. Regards
Rowland Penny
2015-Sep-01 21:39 UTC
[Samba] ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication
On 01/09/15 21:59, Quirin Maier wrote:> Hi, > > I'd like to use ldbadd with kerberos authentication using samba > 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being > processed. Executing... > > kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab > > root at dc01:/# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at INTERNAL.DOMAIN.TLD > > Valid starting Expires Service principal > 09/01/15 20:36:16 09/02/15 06:36:16 > krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD > renew until 09/02/15 20:36:16 > > root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF > dn: CN=Groups,DC=internal,DC=domain,DC=tld > objectClass: container > objectClass: top > cn: Groups > objectCategory: > CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld > description: Default container for upgraded group accounts > EOF > > results in: > ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > Operation unavailable without authentication> <>" on DN > CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6 > > Anybody else who has the same problem? Or could somebody enlighten me, what > I'm doing wrong here? > > btw: ldbadd -U DOMAIN/User%password ... works. > > Thanks in advance for any hint. > > RegardsOK, firstly I would create a user to use with ldb-tools instead of using Administrator: samba-tool user create admin --random-password --description="Unprivileged user for ldb-tools" Next, set user to not expire: samba-tool user setexpiry admin --noexpiry You now need to export the users keytab: samba-tool domain exportkeytab /etc/admin.keytab --principal=admin Now you have the keytab you can now run kinit and create the ticket cache: kinit -F -k -t /etc/admin.keytab -c /tmp/krb5cc_admin admin at UREALM # <--change 'UREALM' to your uppercase realm name finally you can run run ldbadd command: ldbadd ldap://localhost --kerberos=yes --krb5-ccache=/tmp/krb5cc_admin << EOF ...... HTH Rowland
Quirin Maier
2015-Sep-03 21:25 UTC
[Samba] ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication
2015-09-01 23:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 01/09/15 21:59, Quirin Maier wrote: > >> Hi, >> >> I'd like to use ldbadd with kerberos authentication using samba >> 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being >> processed. Executing... >> >> kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab >> >> root at dc01:/# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: Administrator at INTERNAL.DOMAIN.TLD >> >> Valid starting Expires Service principal >> 09/01/15 20:36:16 09/02/15 06:36:16 >> krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD >> renew until 09/02/15 20:36:16 >> >> root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF >> dn: CN=Groups,DC=internal,DC=domain,DC=tld >> objectClass: container >> objectClass: top >> cn: Groups >> objectCategory: >> CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld >> description: Default container for upgraded group accounts >> EOF >> >> results in: >> ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: >> Operation unavailable without authentication> <>" on DN >> CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6 >> >> Anybody else who has the same problem? Or could somebody enlighten me, >> what >> I'm doing wrong here? >> >> btw: ldbadd -U DOMAIN/User%password ... works. >> >> Thanks in advance for any hint. >> >> Regards >> > > OK, firstly I would create a user to use with ldb-tools instead of using > Administrator: > > samba-tool user create admin --random-password --description="Unprivileged > user for ldb-tools" > > Next, set user to not expire: > > samba-tool user setexpiry admin --noexpiry > > You now need to export the users keytab: > > samba-tool domain exportkeytab /etc/admin.keytab --principal=admin > > Now you have the keytab you can now run kinit and create the ticket cache: > > kinit -F -k -t /etc/admin.keytab -c /tmp/krb5cc_admin admin at UREALM # > <--change 'UREALM' to your uppercase realm name > > finally you can run run ldbadd command: > > ldbadd ldap://localhost --kerberos=yes --krb5-ccache=/tmp/krb5cc_admin << > EOF > ...... > > > HTH > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Hi Rowland, I've tried your solution, but unfortunately I received same error again :-( ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <>" on DN CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6 @all: anybody out there on debian jessie with sernet samba packages 4.2.3, who could try Rowland's solution and give feedback? Quirin
Andrew Bartlett
2015-Sep-05 07:00 UTC
[Samba] ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication
On Tue, 2015-09-01 at 22:59 +0200, Quirin Maier wrote:> Hi, > > I'd like to use ldbadd with kerberos authentication using samba > 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not > being > processed. Executing... > > kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab > > root at dc01:/# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at INTERNAL.DOMAIN.TLD > > Valid starting Expires Service principal > 09/01/15 20:36:16 09/02/15 06:36:16 > krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD > renew until 09/02/15 20:36:16 > > root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF > dn: CN=Groups,DC=internal,DC=domain,DC=tld > objectClass: container > objectClass: top > cn: Groups > objectCategory: > CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld > description: Default container for upgraded group accounts > EOF > > results in: > ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR - > <00002020: > Operation unavailable without authentication> <>" on DN > CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6 > > Anybody else who has the same problem? Or could somebody enlighten > me, what > I'm doing wrong here? > > btw: ldbadd -U DOMAIN/User%password ... works.This looks like https://bugzilla.samba.org/show_bug.cgi?id=11265 which should be in the next 4.2 release. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Reasonably Related Threads
- ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- 4.9.12 operation unavailable without authentication