Use of kerberos in python samdb script
Andrew Bartlett
abartlet at samba.org
Sun May 12 03:06:42 MDT 2013
On Sun, 2013-05-12 at 10:45 +0200, Gémes Géza wrote:
> 2013-05-12 07:57 keltezéssel, Alexander Bokovoy írta:
> > Hi,
> >
> > On Sun, May 12, 2013 at 3:13 AM, William Brown <
> > william.e.brown at adelaide.edu.au> wrote:
> >
> >> Hi,
> >>
> >> I am attempting to write a python script using the samba.samdb SamDB
> >> module. I
> >> am attempting to authenticate via kerberos with this.
> >>
> >> My script is:
> >>
> >> #WARNING - This requires you to erase samba-python and samba-dc on
> >> fedora!!!!
> >> import sys
> >> sys.path.append('/opt/samba4/lib64/python2.7/site-packages')
> >>
> >> from samba.samdb import SamDB
> >> from samba import ldb
> >> from samba.param import LoadParm
> >> from samba.auth import system_session
> >> from samba.credentials import Credentials, AUTO_USE_KERBEROS,
> >> MUST_USE_KERBEROS
> >>
> >> import getpass
> >>
> >> lp = LoadParm()
> >> creds = Credentials()
> >> creds.guess(lp)
> >> creds.set_username('william')
> >> creds.set_kerberos_state(AUTO_USE_KERBEROS)
> >> #creds.set_password(getpass.getpass('Samba password #'))
> >>
> > Credentials object makes its decision based on LoadParm content. Some of
> > functions LoadParm uses internally make Credentials to believe smb.conf
> > values were overridden from command line and always resort to use password.
> > This is, in particular related to workgroup and realm values. Easiest way
> > is to have empty smb.conf as LoadParm. Here is what I use in FreeIPA's code:
> > ....
> > self._parm = param.LoadParm()
> >
> > self._parm.load(os.path.join(ipautil.SHARE_DIR,"smb.conf.empty"))
> > self._parm.set('netbios name', self.flatname)
> > self._creds = credentials.Credentials()
> > self._creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
> > self._creds.guess(self._parm)
> > self._creds.set_workstation(self.flatname)
> >
> >
> Trying to use your example in a test script like:
>
> lp = LoadParm()
> lp.load ( '/dev/null' )
> lp.set( 'netbios name', 'KZSDABAS' )
> creds = Credentials ()
> creds.set_username( 'geza' )
Don't set the username. Doing so makes us ignore any credentials cache
from the environment, because we see you forcing a specific username.
> creds.set_kerberos_state( MUST_USE_KERBEROS )
> samdb = SamDB ( url='ldap://dc0.kzsdabas.hu',
> session_info=system_session(), credentials=creds, lp=lp )
>
> yields:
>
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://dc0.kzsdabas.hu' with backend 'ldap': (null)
> Traceback (most recent call last):
> File "/tmp/test.py", line 58, in <module>
> samdb = SamDB(url='ldap://dc0.kzsdabas.hu',
> session_info=system_session(), credentials=creds, lp=lp)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py",
> line 56, in __init__
> options=options)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line
> 114, in __init__
> self.connect(url, flags, options)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py",
> line 71, in connect
> options=options)
> _ldb.LdbError: (1, None)
>
> The same script with MUST_USE_KERBEROS changed into AUTO_USE_KERBEROS
> gives a segmentation fault when it tries to read from /dev/urandom,
> strace gives:
> open("/dev/urandom", O_RDONLY) = 5
> fcntl(5, F_GETFD) = 0
> fcntl(5, F_SETFD, FD_CLOEXEC) = 0
> read(5, "N\371\"=\212\226\253\220`\353\234\266c\375F\361", 16) = 16
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++
That's actually because you didn't set the password, but did set the
username. I agree that segfaults are not quite the right error return,
but this happens because you didn't call guess(), which would fill in
the defaults.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list