samba - Apr 2019 - "00002020: Operation unavailable without authentication" using python-ldap

Interesting, I'm getting the same error using the LDB tools:

ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
ldap://localhost
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -
 <00002020: Operation unavailable without authentication> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line
533,
in run
    attrs=["samaccountname"])



ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost -b
'dc=ad,dc=onthefive,dc=com'
search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Operation
unavailable without authentication> <>


Prior to this, I did a fresh kdestroy / kinit.

It happens also on another Linux box. (Not yet "joined", but had a TGT
for
jreinhart-admin):

$ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
search error - 00002020: Operation unavailable without authentication


$ kinit Administrator at AD.ONTHEFIVE.COM
Password for Administrator at AD.ONTHEFIVE.COM:
$ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
search error - 00002020: Operation unavailable without authentication



For reference, here is my smb.conf:

# Global parameters
[global]
    dns forwarder = 10.0.1.1
    netbios name = SAMBA-DC3
    realm = AD.ONTHEFIVE.COM
    server role = active directory domain controller
    workgroup = ONTHEFIVE
    # Winbind settings
    idmap_ldb:use rfc2307 = yes
    template shell = /bin/bash
    template homedir = /home/%D/%U
    kerberos method = system keytab
    #log level = 10

[netlogon]
    path = /var/lib/samba/sysvol/ad.onthefive.com/scripts
    read only = No
[sysvol]
    path = /var/lib/samba/sysvol
    read only = No







On Sun, Apr 7, 2019 at 4:25 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 7 Apr 2019 00:41:23 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Thanks for the example, Rowland.
>
> Whilst it was an example, it was actual code lifted from Samba's
user.py
>
> If you run 'samba-tool user list' on a DC, it is the actual code
that
> is run.
>
> >
> > Does ldb work against remote servers as well?  I thought it was only
> > for local, file-based access.
>
> Yes it does work on the wire, you can use samba-tool with the '-H'
or
> '--URL=url' options.
>
> For instance 'sudo samba-tool user list -H ldap://dc4' run on a
Unix
> domain member will list all users in AD.
>
> >
> > In general, I just wanted to use my Samba AD as an environment to
> > learn more about writing software against using LDAP. There are a few
> > applications I'm planning to develop, and I'd like to use
actual LDAP
> > so they could be applicable to Samba or Microsoft AD servers.
>
> Can I suggest you examine the Samba source code, if you download the
> latest tarball:
> https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz
>
> Extract and open it, you will find a directory called 'python'
>
> >
> > I added some more information on the GitHub issue (
> > https://github.com/python-ldap/python-ldap/issues/275); it looks like
> > there is some sort of nasty race condition, because while the LDAP
> > search usually fails, it will work if I start an asynchronous search
> > without waiting on it.
> >
> > I'm not sure if the problem lies in Samba's LDAP server, the
> > python-gitlab library, or somewhere in between (possibly in the SASL
> > or GSSAPI code). I'm still looking into it, but I wanted to see if
> > anyone here had ever seen anything similar.
>
> This is probably a python-ldap problem, but if you use ldbsearch etc,
> kerberos does work. The syntax is slightly different from ldapsearch,
> see 'ldbsearch --help' and:
>
> https://wiki.samba.org/index.php/LDB
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Sun, 7 Apr 2019 13:45:11 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
> Interesting, I'm getting the same error using the LDB tools:
> 
> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> ldap://localhost
Does the DC use itself as its first nameserver in /etc/resolv.conf ?
if it does, it should work without authentication:

root at dc4:~# samba-tool user list -H ldap://localhost
testuser
groupuser2
User27
.......
....
...
> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost
> -b 'dc=ad,dc=onthefive,dc=com'
> search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> Operation unavailable without authentication> <>
Listing users should work on a DC or a Unix domain member, but it must
be done as root (or using sudo) and for Unix domain members, you must
use a DC's shorthostname instead of localhost.
> 
> 
> Prior to this, I did a fresh kdestroy / kinit.
> 
> It happens also on another Linux box. (Not yet "joined", but had
a
> TGT for jreinhart-admin):
> 
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication
> 
> 
> $ kinit Administrator at AD.ONTHEFIVE.COM
> Password for Administrator at AD.ONTHEFIVE.COM:
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication
Did you run 'samba-tool user list --help' ? and if so did you miss:

  Credentials Options:
    --simple-bind-dn=DN
                        DN to use for a simple bind
    --password=PASSWORD
                        Password
    -U USERNAME, --username=USERNAME
                        Username
    -W WORKGROUP, --workgroup=WORKGROUP
                        Workgroup
    -N, --no-pass       Don't ask for a password
    -k KERBEROS, --kerberos=KERBEROS
                        Use Kerberos
    --ipaddress=IPADDRESS
                        IP address of server
    -P, --machine-pass  Use stored machine account password
    --krb5-ccache=KRB5CCNAME
                        Kerberos Credentials cache

Try it as a normal user on a Unix domain member, kinit as the user, then
run this:

samba-tool user list -H ldap://samba-dc3 -k yes
> For reference, here is my smb.conf:
> 
> # Global parameters
> [global]
>     dns forwarder = 10.0.1.1
>     netbios name = SAMBA-DC3
>     realm = AD.ONTHEFIVE.COM
>     server role = active directory domain controller
>     workgroup = ONTHEFIVE
>     # Winbind settings
>     idmap_ldb:use rfc2307 = yes
>     template shell = /bin/bash
>     template homedir = /home/%D/%U
You might as well remove the line above, it is the default.
>     kerberos method = system keytab
Please don't use the line above, it stops you using secrets.tdb

Rowland

On Sun, 2019-04-07 at 19:16 +0100, Rowland Penny via samba
wrote:
> On Sun, 7 Apr 2019 13:45:11 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
> 
> > Interesting, I'm getting the same error using the LDB tools:
> > 
> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> > ldap://localhost
> 
> Does the DC use itself as its first nameserver in /etc/resolv.conf ?
> if it does, it should work without authentication:
Over LDAP it won't ever be without authentication.  When run as root
some samba-tool commands pick up the system's own machine account
password, but at a protocol level all operation on LDAP, aside from
reading the rootDSE, are required to be authenticated.

I hope this clarifies things.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sun, Apr 7, 2019 at 2:17 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
> On Sun, 7 Apr 2019 13:45:11 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Interesting, I'm getting the same error using the LDB tools:
> >
> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> > ldap://localhost
>
> Does the DC use itself as its first nameserver in /etc/resolv.conf ?
> if it does, it should work without authentication:
>
> root at dc4:~# samba-tool user list -H ldap://localhost
> testuser
> groupuser2
> User27
> .......
> ....
> ...
Yes, the DC uses only "nameserver 127.0.0.1".  As root, that command
works.
> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H
ldap://localhost
> > -b 'dc=ad,dc=onthefive,dc=com'
> > search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> > Operation unavailable without authentication> <>
>
> Listing users should work on a DC or a Unix domain member, but it must
> be done as root (or using sudo) and for Unix domain members, you must
> use a DC's shorthostname instead of localhost.
>
> >
> >
> > Prior to this, I did a fresh kdestroy / kinit.
> >
> > It happens also on another Linux box. (Not yet "joined", but
had a
> > TGT for jreinhart-admin):
> >
> > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> > search error - 00002020: Operation unavailable without authentication
> >
> >
> > $ kinit Administrator at AD.ONTHEFIVE.COM
> > Password for Administrator at AD.ONTHEFIVE.COM:
> > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> > search error - 00002020: Operation unavailable without authentication
>
> Did you run 'samba-tool user list --help' ? and if so did you miss:
>
>   Credentials Options:
>     --simple-bind-dn=DN
>                         DN to use for a simple bind
>     --password=PASSWORD
>                         Password
>     -U USERNAME, --username=USERNAME
>                         Username
>     -W WORKGROUP, --workgroup=WORKGROUP
>                         Workgroup
>     -N, --no-pass       Don't ask for a password
>     -k KERBEROS, --kerberos=KERBEROS
>                         Use Kerberos
>     --ipaddress=IPADDRESS
>                         IP address of server
>     -P, --machine-pass  Use stored machine account password
>     --krb5-ccache=KRB5CCNAME
>                         Kerberos Credentials cache
>
> Try it as a normal user on a Unix domain member, kinit as the user, then
> run this:
>
> samba-tool user list -H ldap://samba-dc3 -k yes
I don't yet have a Unix domain member to test. But on the DC (as non-root
user), passing "-k yes" to either samba-tool and ldbsearch works.

I also tried this from a non-joined Linux box, and that worked as well:

ldbsearch -k yes -H ldap://samba-dc3 -b 'dc=ad,dc=onthefive,dc=com'

>
> > For reference, here is my smb.conf:
> >
> > # Global parameters
> > [global]
> >     dns forwarder = 10.0.1.1
> >     netbios name = SAMBA-DC3
> >     realm = AD.ONTHEFIVE.COM
> >     server role = active directory domain controller
> >     workgroup = ONTHEFIVE
> >     # Winbind settings
> >     idmap_ldb:use rfc2307 = yes
> >     template shell = /bin/bash
> >     template homedir = /home/%D/%U
>
> You might as well remove the line above, it is the default.
>
> >     kerberos method = system keytab
>
> Please don't use the line above, it stops you using secrets.tdb
Okay thanks. I looked but couldn't find any recommendations on the
"right"
choice for "kerberos method". I added this line (changing it from the
default) so I could SSH w/ Kerberos auth to the DC. I guess "secrets and
keytab" is the "right" choice then? Did I miss this, or should
this be
expanded upon in the Wiki? What is the effect of not using secrets.tdb?

Thanks for setting me straight with the -k option.

However, I still have this issue with my Python LDAP tests.  I had hoped
that "kerberos method = secrets and keytab" would make a difference,
but it
did not. This issue occurs on three different machines, using python-ldap
3.1.0, 2.5.2, and pyldap (a fork), version 2.4.25.1.

I tried writing some standalone C code to replicate this, but I didn't
quite get it working. My next step might be to try some other
language/library that has GSSAPI support, but I'm getting stuck.

Any ideas how I might be able to go about proving this is python-ldap's
issue or Samba's? I might have to install a MS AD server for comparison.

Thanks,

Jonathon