Jonathon Reinhart
2019-Apr-07 17:45 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Interesting, I'm getting the same error using the LDB tools: ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H ldap://localhost ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 533, in run attrs=["samaccountname"]) ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost -b 'dc=ad,dc=onthefive,dc=com' search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation unavailable without authentication> <> Prior to this, I did a fresh kdestroy / kinit. It happens also on another Linux box. (Not yet "joined", but had a TGT for jreinhart-admin): $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com search error - 00002020: Operation unavailable without authentication $ kinit Administrator at AD.ONTHEFIVE.COM Password for Administrator at AD.ONTHEFIVE.COM: $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com search error - 00002020: Operation unavailable without authentication For reference, here is my smb.conf: # Global parameters [global] dns forwarder = 10.0.1.1 netbios name = SAMBA-DC3 realm = AD.ONTHEFIVE.COM server role = active directory domain controller workgroup = ONTHEFIVE # Winbind settings idmap_ldb:use rfc2307 = yes template shell = /bin/bash template homedir = /home/%D/%U kerberos method = system keytab #log level = 10 [netlogon] path = /var/lib/samba/sysvol/ad.onthefive.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No On Sun, Apr 7, 2019 at 4:25 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 7 Apr 2019 00:41:23 -0400 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > Thanks for the example, Rowland. > > Whilst it was an example, it was actual code lifted from Samba's user.py > > If you run 'samba-tool user list' on a DC, it is the actual code that > is run. > > > > > Does ldb work against remote servers as well? I thought it was only > > for local, file-based access. > > Yes it does work on the wire, you can use samba-tool with the '-H' or > '--URL=url' options. > > For instance 'sudo samba-tool user list -H ldap://dc4' run on a Unix > domain member will list all users in AD. > > > > > In general, I just wanted to use my Samba AD as an environment to > > learn more about writing software against using LDAP. There are a few > > applications I'm planning to develop, and I'd like to use actual LDAP > > so they could be applicable to Samba or Microsoft AD servers. > > Can I suggest you examine the Samba source code, if you download the > latest tarball: > https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz > > Extract and open it, you will find a directory called 'python' > > > > > I added some more information on the GitHub issue ( > > https://github.com/python-ldap/python-ldap/issues/275); it looks like > > there is some sort of nasty race condition, because while the LDAP > > search usually fails, it will work if I start an asynchronous search > > without waiting on it. > > > > I'm not sure if the problem lies in Samba's LDAP server, the > > python-gitlab library, or somewhere in between (possibly in the SASL > > or GSSAPI code). I'm still looking into it, but I wanted to see if > > anyone here had ever seen anything similar. > > This is probably a python-ldap problem, but if you use ldbsearch etc, > kerberos does work. The syntax is slightly different from ldapsearch, > see 'ldbsearch --help' and: > > https://wiki.samba.org/index.php/LDB > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Apr-07 18:16 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
On Sun, 7 Apr 2019 13:45:11 -0400 Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:> Interesting, I'm getting the same error using the LDB tools: > > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H > ldap://localhostDoes the DC use itself as its first nameserver in /etc/resolv.conf ? if it does, it should work without authentication: root at dc4:~# samba-tool user list -H ldap://localhost testuser groupuser2 User27 ....... .... ...> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost > -b 'dc=ad,dc=onthefive,dc=com' > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > Operation unavailable without authentication> <>Listing users should work on a DC or a Unix domain member, but it must be done as root (or using sudo) and for Unix domain members, you must use a DC's shorthostname instead of localhost.> > > Prior to this, I did a fresh kdestroy / kinit. > > It happens also on another Linux box. (Not yet "joined", but had a > TGT for jreinhart-admin): > > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com > search error - 00002020: Operation unavailable without authentication > > > $ kinit Administrator at AD.ONTHEFIVE.COM > Password for Administrator at AD.ONTHEFIVE.COM: > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com > search error - 00002020: Operation unavailable without authenticationDid you run 'samba-tool user list --help' ? and if so did you miss: Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos --ipaddress=IPADDRESS IP address of server -P, --machine-pass Use stored machine account password --krb5-ccache=KRB5CCNAME Kerberos Credentials cache Try it as a normal user on a Unix domain member, kinit as the user, then run this: samba-tool user list -H ldap://samba-dc3 -k yes> For reference, here is my smb.conf: > > # Global parameters > [global] > dns forwarder = 10.0.1.1 > netbios name = SAMBA-DC3 > realm = AD.ONTHEFIVE.COM > server role = active directory domain controller > workgroup = ONTHEFIVE > # Winbind settings > idmap_ldb:use rfc2307 = yes > template shell = /bin/bash > template homedir = /home/%D/%UYou might as well remove the line above, it is the default.> kerberos method = system keytabPlease don't use the line above, it stops you using secrets.tdb Rowland
Andrew Bartlett
2019-Apr-07 18:20 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
On Sun, 2019-04-07 at 19:16 +0100, Rowland Penny via samba wrote:> On Sun, 7 Apr 2019 13:45:11 -0400 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > Interesting, I'm getting the same error using the LDB tools: > > > > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H > > ldap://localhost > > Does the DC use itself as its first nameserver in /etc/resolv.conf ? > if it does, it should work without authentication:Over LDAP it won't ever be without authentication. When run as root some samba-tool commands pick up the system's own machine account password, but at a protocol level all operation on LDAP, aside from reading the rootDSE, are required to be authenticated. I hope this clarifies things. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Jonathon Reinhart
2019-Apr-07 21:34 UTC
[Samba] "00002020: Operation unavailable without authentication" using python-ldap
On Sun, Apr 7, 2019 at 2:17 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > On Sun, 7 Apr 2019 13:45:11 -0400 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > Interesting, I'm getting the same error using the LDB tools: > > > > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H > > ldap://localhost > > Does the DC use itself as its first nameserver in /etc/resolv.conf ? > if it does, it should work without authentication: > > root at dc4:~# samba-tool user list -H ldap://localhost > testuser > groupuser2 > User27 > ....... > .... > ...Yes, the DC uses only "nameserver 127.0.0.1". As root, that command works.> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost > > -b 'dc=ad,dc=onthefive,dc=com' > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > > Operation unavailable without authentication> <> > > Listing users should work on a DC or a Unix domain member, but it must > be done as root (or using sudo) and for Unix domain members, you must > use a DC's shorthostname instead of localhost. > > > > > > > Prior to this, I did a fresh kdestroy / kinit. > > > > It happens also on another Linux box. (Not yet "joined", but had a > > TGT for jreinhart-admin): > > > > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com > > search error - 00002020: Operation unavailable without authentication > > > > > > $ kinit Administrator at AD.ONTHEFIVE.COM > > Password for Administrator at AD.ONTHEFIVE.COM: > > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com > > search error - 00002020: Operation unavailable without authentication > > Did you run 'samba-tool user list --help' ? and if so did you miss: > > Credentials Options: > --simple-bind-dn=DN > DN to use for a simple bind > --password=PASSWORD > Password > -U USERNAME, --username=USERNAME > Username > -W WORKGROUP, --workgroup=WORKGROUP > Workgroup > -N, --no-pass Don't ask for a password > -k KERBEROS, --kerberos=KERBEROS > Use Kerberos > --ipaddress=IPADDRESS > IP address of server > -P, --machine-pass Use stored machine account password > --krb5-ccache=KRB5CCNAME > Kerberos Credentials cache > > Try it as a normal user on a Unix domain member, kinit as the user, then > run this: > > samba-tool user list -H ldap://samba-dc3 -k yesI don't yet have a Unix domain member to test. But on the DC (as non-root user), passing "-k yes" to either samba-tool and ldbsearch works. I also tried this from a non-joined Linux box, and that worked as well: ldbsearch -k yes -H ldap://samba-dc3 -b 'dc=ad,dc=onthefive,dc=com'> > > For reference, here is my smb.conf: > > > > # Global parameters > > [global] > > dns forwarder = 10.0.1.1 > > netbios name = SAMBA-DC3 > > realm = AD.ONTHEFIVE.COM > > server role = active directory domain controller > > workgroup = ONTHEFIVE > > # Winbind settings > > idmap_ldb:use rfc2307 = yes > > template shell = /bin/bash > > template homedir = /home/%D/%U > > You might as well remove the line above, it is the default. > > > kerberos method = system keytab > > Please don't use the line above, it stops you using secrets.tdbOkay thanks. I looked but couldn't find any recommendations on the "right" choice for "kerberos method". I added this line (changing it from the default) so I could SSH w/ Kerberos auth to the DC. I guess "secrets and keytab" is the "right" choice then? Did I miss this, or should this be expanded upon in the Wiki? What is the effect of not using secrets.tdb? Thanks for setting me straight with the -k option. However, I still have this issue with my Python LDAP tests. I had hoped that "kerberos method = secrets and keytab" would make a difference, but it did not. This issue occurs on three different machines, using python-ldap 3.1.0, 2.5.2, and pyldap (a fork), version 2.4.25.1. I tried writing some standalone C code to replicate this, but I didn't quite get it working. My next step might be to try some other language/library that has GSSAPI support, but I'm getting stuck. Any ideas how I might be able to go about proving this is python-ldap's issue or Samba's? I might have to install a MS AD server for comparison. Thanks, Jonathon
Reasonably Related Threads
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap
- "00002020: Operation unavailable without authentication" using python-ldap