samba - Jul 2020 - Interacting with LDAP db without password as root

Wed, 15 Jul 2020 16:18:32 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 15/07/2020 16:10, RhineDevil wrote:
> > Wed, 15 Jul 2020 16:07:06 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> >> On 15/07/2020 15:44, RhineDevil wrote:
> >>> Wed, 15 Jul 2020 15:23:41 +0100 Rowland penny via samba
<samba at lists.samba.org>:
> >>>> On 15/07/2020 14:56, RhineDevil wrote:
> >>>>> Wed, 15 Jul 2020 13:56:48 +0100 Rowland penny via
samba <samba at lists.samba.org>:
> >>>>>> On 15/07/2020 13:36, RhineDevil via samba wrote:
> >>>>>>> How could I avoid being asked a password when
interacting with /var/lib/samba/private/ldap_priv/ldapi through ldapsearch or
ldaputils in general?
> >>>>>>> (ldapsearch -H
ldapi//%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi)
> >>>>>> Don't use ldap-utils, use ldb-tools and the
machine password:
> >>>>>>
> >>>>>> sudo ldbsearch -P -H
ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap
> >>>>>>
> >>>>>> Rowland
> >>>>> "ldap client internal error
NT_STATUS_UNSUCCESFUL"
> >>>> Strange, I get:
> >>>>
> >>>> root at dc01:~# ldbsearch -P -H
ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi
> >>>> ALL_MY_AD_RECORDS
> >>>>
> >>>> Snipped for brevity
> >>>>
> >>>> .....................
> >>>> ...................
> >>>> .................
> >>>> # Referral
> >>>> ref:
ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
> >>>>
> >>>> # Referral
> >>>> ref:
ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> >>>>
> >>>> # Referral
> >>>> ref:
ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
> >>>>
> >>>> # returned 479 records
> >>>> # 476 entries
> >>>> # 3 referrals
> >>>>
> >>>> You are running this on a DC ?
> >>>>
> >>>> Rowland
> >>>>
> >>> Yes I think, I just did samba-tool domain provision [...] and
then tried to connect with this socket
> >> What OS and are you using distro packages or a self compiled
Samba.
> >>
> >> Rowland
> >>
> > Devuan 10 beowulf with samba 4.9.5
> 
> Is Samba running ?
> 
> Rowland
> 
Yes it is
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200715/30d62f70/attachment.sig>

On 15/07/2020 16:38, RhineDevil wrote:
> Wed, 15 Jul 2020 16:18:32 +0100 Rowland penny via samba <samba at
lists.samba.org>:
>
>
>> Is Samba running ?
>>
>> Rowland
>>
> Yes it is
I ask this because the only time I get anything like your problem is if 
I stop Samba:

linuxadmin at dc1:~$ sudo service samba-ad-dc stop
[sudo] password for linuxadmin:
[ ok ] Stopping Samba AD DC daemon: samba.
linuxadmin at dc1:~$ sudo ldbsearch -P -H 
ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi
Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
Failed to connect to 'ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi' 
with backend 'ldapi': LDAP client internal error: NT_STATUS_UNSUCCESSFUL
Failed to connect to ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi - 
LDAP client internal error: NT_STATUS_UNSUCCESSFUL

So if Samba is running, then is Apparmor denying access ? (I always turn 
Apparmor off)

Rowland

Wed, 15 Jul 2020 16:55:42 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 15/07/2020 16:38, RhineDevil wrote:
> > Wed, 15 Jul 2020 16:18:32 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> >
> >
> >> Is Samba running ?
> >>
> >> Rowland
> >>
> > Yes it is
> 
> I ask this because the only time I get anything like your problem is if 
> I stop Samba:
> 
> linuxadmin at dc1:~$ sudo service samba-ad-dc stop
> [sudo] password for linuxadmin:
> [ ok ] Stopping Samba AD DC daemon: samba.
> linuxadmin at dc1:~$ sudo ldbsearch -P -H 
> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi
> Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> Failed to connect to
'ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi'
> with backend 'ldapi': LDAP client internal error:
NT_STATUS_UNSUCCESSFUL
> Failed to connect to ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi - 
> LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> 
> So if Samba is running, then is Apparmor denying access ? (I always turn 
> Apparmor off)
> 
> Rowland
> 
You've given me a different address, now that I reused my original address
it doesn't stop but hangs without answering anything
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200715/8143b762/attachment.sig>

Wed, 15 Jul 2020 16:55:42 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 15/07/2020 16:38, RhineDevil wrote:
> > Wed, 15 Jul 2020 16:18:32 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> >
> >
> >> Is Samba running ?
> >>
> >> Rowland
> >>
> > Yes it is
> 
> I ask this because the only time I get anything like your problem is if 
> I stop Samba:
> 
> linuxadmin at dc1:~$ sudo service samba-ad-dc stop
> [sudo] password for linuxadmin:
> [ ok ] Stopping Samba AD DC daemon: samba.
> linuxadmin at dc1:~$ sudo ldbsearch -P -H 
> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi
> Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> Failed to connect to
'ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi'
> with backend 'ldapi': LDAP client internal error:
NT_STATUS_UNSUCCESSFUL
> Failed to connect to ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldapi - 
> LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> 
> So if Samba is running, then is Apparmor denying access ? (I always turn 
> Apparmor off)
> 
> Rowland
> 
Nevermind, it worked, I just had to wait
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200715/0130b3f5/attachment.sig>