DC demote

Tue Jan 4 12:01:03 MST 2011

Sorry I forgot:
I use an older version (alpha12) that I was able to list content with
anonymous bind. Now when I tested with current version this seems to be
impossible. So this is ok now.

Concerning the "I use port 389": I meant that I normally start the samba4
binary which also starts the build-in ldap server (on default 389 server).
Nothing special except the fact I am not able to bind it. So I still search
working solution how to do it.

V.

2011/1/4 Michael Wood <esiotrot at gmail.com>

> Hi Vaclav
>
> On 4 January 2011 10:16, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> > Hi Michael,
>
> > thanks for your prompt reaction.
>
> > I have done the bind exactly as you have posted (The code comes from
> python
> > ldap examples):
>
> > addr = "ldap://10.0.1.4:389/"
> > realm = 'vena at MYDOMAIN.CZ'
> > conn = ldap.initialize(addr, trace_level=2)
> > tokens = ldap.sasl.gssapi(authz_id=realm)
> > conn.sasl_interactive_bind_s('', tokens)
>
> > but the sasl_interactive_bind_s returned the error 'SASL(-4): no
> > mechanism available...
>
> > I am not an LDAP guru but I think the ldap client complaints about lack
> of
> > mechanisms on the other site (samba4) LDAP connection.
>
> Perhaps, but if so, I don't understand why it would do that.
>
> > I DON'T use any other LDAP servers (like openLDAP, etc.). Many discussion
> > about how to bind to LDAP using gssapi sasl excpects such server. I use
> port
> > 389 when start samba4 binary. I suppose there runs the proprietary samba4
> > LDAP based backend server that I don't know nothing about.
>
> I am also using Samba 4's built-in LDAP server and not OpenLDAP, etc.
>
> I'm not sure what you mean when you say you "use port 389" when
> starting samba4.  You should not have to specify the port.  It should
> start up its internal LDAP server on port 389 by default.
>
> By the way, you did not answer my question:
>
> Were you able to delete other things using an anonymous bind?  That's
> surprising.
>
> > 2011/1/3 Michael Wood <esiotrot at gmail.com>
> >>
> >> On 4 January 2011 00:11, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> >> > Nobody?
> >> > I have tryed the ldb* utils to delete demoted DC records but without
> >> > success. I was not even able to find out how to delete only attribute
> >> > instead the whole record.
> >>
> >> You could try reading the ldapmodify manpage which, I think, describes
> >> the same syntax that ldbmodify uses to add/modify/delete attributes.
> >>
> >> > Maybe the better question is: how could I directly change the samba
> >> > database
> >> > files (LDB, TDB)?
> >>
> >> Using ldbmodify or ldbedit etc. should do it, as long as you know what
> >> needs to be modified/deleted.  I do not.
> >>
> >> > I then tried to bind to LDAP server again using python
> >> > GSSAPI (ldap.sasl) but sasl_interactive_bind_s said:
> >> > Error using SASL mechanism GSSAPI {'info': 'SASL(-4): no mechanism
> >> > available: No worthy mechs found', 'desc': 'Unknown authentication
> >> > method'}.
> >> > I found some discussions about this but no result.
> >>
> >> I'm not sure what that's about, but perhaps if you post the code you
> >> were using someone could help.
> >>
> >> This has worked for me in the past:
> >>
> >>    ldap_server = "ldap://%s" % (REALM,)
> >>    conn = ldap.initialize(ldap_server)
> >>    tokens = ldap.sasl.gssapi()
> >>    conn.sasl_interactive_bind_s("", tokens)
> >>
> >> > 2010/12/30 Vaclav Klecanda <vencax77 at gmail.com>
> >> >
> >> >> Hi,
> >> >> I have sucessfully setup samba4 PDC and have joined a Win2k8 BDC. Now
> I
> >> >> removed (demoted) the BDC. I had to use forceremoval param since
> >> >> default
> >> >> process failed. Now I have appropriate records in Samba4 PDC
> >> >> (replication
> >> >> connection, etc.) and want to remove them. I wanted to remove the
> >> >> things
> >> >> through a LDAP browser but some of them are in
> >> >> dc=Configuration,dc=Schema,..
> >> >> subtree which probably wants a special rights since it is
> inaccessible
> >> >> through anonymous ldap bind. Has anybody been solving that?
> >>
> >> Were you able to delete other things using an anonymous bind?  That's
> >> surprising.
>
> --
> Michael Wood <esiotrot at gmail.com>
>