[Samba] "00002020: Operation unavailable without authentication" using python-ldap

Rowland Penny rpenny at samba.org
Sat Apr 6 12:55:52 UTC 2019 

On Sat, 6 Apr 2019 04:52:38 -0400
Jonathon Reinhart via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I'm writing in regards to this issue I opened on GitHub:
> https://github.com/python-ldap/python-ldap/issues/275
> 
> I am able to successfully use ldapsearch to query my Samba
> 4.9.4-Debian DC:
> 
> ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b
> "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName"
> 
> However, when I try to use python-ldap I get this error:
> 
>     00002020: Operation unavailable without authentication
> 
> I've traced ldapsearch and python using ltrace, and both seem to be
> making the same calls (ldap_sasl_interactive_bind_s and
> ldap_search_ext) and passing the same parameters.
> 
> This feels like a bug in python-ldap, but I've been tracing this for
> hours and can't find anything which indicates that. I set my samba
> "log level" to 10 and grabbed a snapshot right around this query, but
> it's still 1.4M. In there, I do see this:
> 
>   ldb: ldb_trace_response: DONE
>   error: 1
>   msg: Operation unavailable without authentication
> 
> Am I missing something? Am I barking up the wrong tree?

It might help if you explain just what you are trying to do ;-)

Samba generally use 'ldb' to work with the AD database, for instance to
list users:

class cmd_user_list(Command):
    """List all users."""

    synopsis = "%prog [options]"

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),
    ]

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,
    }

    def run(self, sambaopts=None, credopts=None, versionopts=None, H=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp, fallback_machine=True)

        samdb = SamDB(url=H, session_info=system_session(),
                      credentials=creds, lp=lp)

        domain_dn = samdb.domain_dn()
        res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
                           expression=("(&(objectClass=user)(userAccountControl:%s:=%u))"
                                       % (ldb.OID_COMPARATOR_AND, dsdb.UF_NORMAL_ACCOUNT)),
                           attrs=["samaccountname"])
        if (len(res) == 0):
            return

        for msg in res:
            self.outf.write("%s\n" % msg.get("samaccountname", idx=0))

You may just be trying to reinvent the wheel ;-)

Rowland

More information about the samba mailing list