DC demote
Michael Wood
esiotrot at gmail.com
Tue Jan 4 07:34:25 MST 2011
Hi Vaclav
On 4 January 2011 10:16, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> Hi Michael,
> thanks for your prompt reaction.
> I have done the bind exactly as you have posted (The code comes from python
> ldap examples):
> addr = "ldap://10.0.1.4:389/"
> realm = 'vena at MYDOMAIN.CZ'
> conn = ldap.initialize(addr, trace_level=2)
> tokens = ldap.sasl.gssapi(authz_id=realm)
> conn.sasl_interactive_bind_s('', tokens)
> but the sasl_interactive_bind_s returned the error 'SASL(-4): no
> mechanism available...
> I am not an LDAP guru but I think the ldap client complaints about lack of
> mechanisms on the other site (samba4) LDAP connection.
Perhaps, but if so, I don't understand why it would do that.
> I DON'T use any other LDAP servers (like openLDAP, etc.). Many discussion
> about how to bind to LDAP using gssapi sasl excpects such server. I use port
> 389 when start samba4 binary. I suppose there runs the proprietary samba4
> LDAP based backend server that I don't know nothing about.
I am also using Samba 4's built-in LDAP server and not OpenLDAP, etc.
I'm not sure what you mean when you say you "use port 389" when
starting samba4. You should not have to specify the port. It should
start up its internal LDAP server on port 389 by default.
By the way, you did not answer my question:
Were you able to delete other things using an anonymous bind? That's
surprising.
> 2011/1/3 Michael Wood <esiotrot at gmail.com>
>>
>> On 4 January 2011 00:11, Vaclav Klecanda <vencax77 at gmail.com> wrote:
>> > Nobody?
>> > I have tryed the ldb* utils to delete demoted DC records but without
>> > success. I was not even able to find out how to delete only attribute
>> > instead the whole record.
>>
>> You could try reading the ldapmodify manpage which, I think, describes
>> the same syntax that ldbmodify uses to add/modify/delete attributes.
>>
>> > Maybe the better question is: how could I directly change the samba
>> > database
>> > files (LDB, TDB)?
>>
>> Using ldbmodify or ldbedit etc. should do it, as long as you know what
>> needs to be modified/deleted. I do not.
>>
>> > I then tried to bind to LDAP server again using python
>> > GSSAPI (ldap.sasl) but sasl_interactive_bind_s said:
>> > Error using SASL mechanism GSSAPI {'info': 'SASL(-4): no mechanism
>> > available: No worthy mechs found', 'desc': 'Unknown authentication
>> > method'}.
>> > I found some discussions about this but no result.
>>
>> I'm not sure what that's about, but perhaps if you post the code you
>> were using someone could help.
>>
>> This has worked for me in the past:
>>
>> ldap_server = "ldap://%s" % (REALM,)
>> conn = ldap.initialize(ldap_server)
>> tokens = ldap.sasl.gssapi()
>> conn.sasl_interactive_bind_s("", tokens)
>>
>> > 2010/12/30 Vaclav Klecanda <vencax77 at gmail.com>
>> >
>> >> Hi,
>> >> I have sucessfully setup samba4 PDC and have joined a Win2k8 BDC. Now I
>> >> removed (demoted) the BDC. I had to use forceremoval param since
>> >> default
>> >> process failed. Now I have appropriate records in Samba4 PDC
>> >> (replication
>> >> connection, etc.) and want to remove them. I wanted to remove the
>> >> things
>> >> through a LDAP browser but some of them are in
>> >> dc=Configuration,dc=Schema,..
>> >> subtree which probably wants a special rights since it is inaccessible
>> >> through anonymous ldap bind. Has anybody been solving that?
>>
>> Were you able to delete other things using an anonymous bind? That's
>> surprising.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list