samba - Sep 2019 - 4.9.12 operation unavailable without authentication

I have Samba in production (4.9.6-12 on Ubuntu 18.04) which is working well.

However, we are several releases behind so I am gearing up to upgrade to the
latest 4.9 release.

As part of the preparations (and for other reasons), I spun up an upgraded DC
cluster in our development environment (4.9.12-15 on Ubuntu 18.04).

The initial setup seemed to work and now I have two DCs that appear to be
replicating.

As part of our setup, we have a health check script that runs daily, which runs
a variety of commands to verify everything is OK.

On the production cluster, this works without issue.

However, on the development cluster, "samba-tool ldapcmp" returns:

ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020: Operation unavailable without authentication> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 178, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 972, in run
    outf=self.outf, errf=self.errf)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 79, in __init__
    self.domain_netbios = self.find_netbios()
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py",
line 115, in find_netbios
    scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])

I did not get any hits in the changelog when I did brief searching for that
error.

Does anyone know what has changed in regards to this tool? What do I need to add
for appropriate authentication (I tried using the --username/password and
--username2/password2 flags but got the same error)?


Mike Ray

On 03/09/2019 18:50, Mike Ray via samba wrote:
> I have Samba in production (4.9.6-12 on Ubuntu 18.04) which is working
well.
>
> However, we are several releases behind so I am gearing up to upgrade to
the latest 4.9 release.
>
> As part of the preparations (and for other reasons), I spun up an upgraded
DC cluster in our development environment (4.9.12-15 on Ubuntu 18.04).
>
> The initial setup seemed to work and now I have two DCs that appear to be
replicating.
>
> As part of our setup, we have a health check script that runs daily, which
runs a variety of commands to verify everything is OK.
>
> On the production cluster, this works without issue.
>
> However, on the development cluster, "samba-tool ldapcmp"
returns:
>
> ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR - 
<00002020: Operation unavailable without authentication> <>
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 178,
in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 972,
in run
>      outf=self.outf, errf=self.errf)
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 79,
in __init__
>      self.domain_netbios = self.find_netbios()
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/ldapcmp.py", line 115,
in find_netbios
>      scope=SCOPE_SUBTREE, attrs=["nETBIOSName"])
>
> I did not get any hits in the changelog when I did brief searching for that
error.
>
> Does anyone know what has changed in regards to this tool? What do I need
to add for appropriate authentication (I tried using the --username/password and
--username2/password2 flags but got the same error)?
>
>
> Mike Ray
>
I do hope that 'cluster' == 'domain' ;-)

I have always used authentication, so I am unsure when it became 
obligatory (if it wasn't from the start).

The way to use it is:

samba-tool ldapcmp ldap://dc1 ldap://dc2 -U Administrator 
--password=<PASSWORD>

Or as root:

kinit Administrator

samba-tool ldapcmp ldap://dc1 ldap://dc2 -k

Rowland

> I do hope that 'cluster' == 'domain' ;-)
I was just trying to convey that I have multiple DCs running. But as they are
not in a cluster like a SQL cluster, it was a poor choice of words.
> I have always used authentication, so I am unsure when it became
> obligatory (if it wasn't from the start).
> 
> The way to use it is:
> 
> samba-tool ldapcmp ldap://dc1 ldap://dc2 -U Administrator
> --password=<PASSWORD>
> 
> Or as root:
> 
> kinit Administrator
> 
> samba-tool ldapcmp ldap://dc1 ldap://dc2 -k
I had previously been accessing the DCs directly, without "ldap://"
(i.e. samba-tool ldapcmp dc1 dc2). I do not know if that was incorrect and I
just got lucky or if there was a change that now requires ldap:// -- in any
case, it appears to be working now.

Thanks!