Use of kerberos in python samdb script

Gémes Géza geza at kzsdabas.hu
Sun May 12 04:55:16 MDT 2013 

Thank you!

That works like a charm.

Posting a working snippet, as a working example at the end:
> On Sun, 2013-05-12 at 10:45 +0200, Gémes Géza wrote:
>> 2013-05-12 07:57 keltezéssel, Alexander Bokovoy írta:
>>> Hi,
>>>
>>> On Sun, May 12, 2013 at 3:13 AM, William Brown <
>>> william.e.brown at adelaide.edu.au> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am attempting to write a python script using the samba.samdb SamDB
>>>> module. I
>>>> am attempting to authenticate via kerberos with this.
>>>>
>>>> My script is:
>>>>
>>>> #WARNING - This requires you to erase samba-python and samba-dc on
>>>> fedora!!!!
>>>> import sys
>>>> sys.path.append('/opt/samba4/lib64/python2.7/site-packages')
>>>>
>>>> from samba.samdb import SamDB
>>>> from samba import ldb
>>>> from samba.param import LoadParm
>>>> from samba.auth import system_session
>>>> from samba.credentials import Credentials, AUTO_USE_KERBEROS,
>>>> MUST_USE_KERBEROS
>>>>
>>>> import getpass
>>>>
>>>> lp = LoadParm()
>>>> creds = Credentials()
>>>> creds.guess(lp)
>>>> creds.set_username('william')
>>>> creds.set_kerberos_state(AUTO_USE_KERBEROS)
>>>> #creds.set_password(getpass.getpass('Samba password #'))
>>>>
>>> Credentials object makes its decision based on LoadParm content. Some of
>>> functions LoadParm uses internally make Credentials to believe smb.conf
>>> values were overridden from command line and always resort to use password.
>>> This is, in particular related to workgroup and realm values. Easiest way
>>> is to have empty smb.conf as LoadParm. Here is what I use in FreeIPA's code:
>>> ....
>>>               self._parm = param.LoadParm()
>>>
>>> self._parm.load(os.path.join(ipautil.SHARE_DIR,"smb.conf.empty"))
>>>               self._parm.set('netbios name', self.flatname)
>>>               self._creds = credentials.Credentials()
>>>               self._creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
>>>               self._creds.guess(self._parm)
>>>               self._creds.set_workstation(self.flatname)
>>>
>>>
>> Trying to use your example in a test script like:
>>
>> lp = LoadParm()
>> lp.load ( '/dev/null' )
>> lp.set( 'netbios name', 'KZSDABAS' )
>> creds = Credentials ()
>> creds.set_username( 'geza' )
> Don't set the username.  Doing so makes us ignore any credentials cache
> from the environment, because we see you forcing a specific username.
>
> That's actually because you didn't set the password, but did set the
> username.  I agree that segfaults are not quite the right error return,
> but this happens because you didn't call guess(), which would fill in
> the defaults.
>
> Andrew Bartlett
>
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
creds.set_kerberos_state(MUST_USE_KERBEROS)
samdb = SamDB(url='ldap://dc0.kzsdabas.hu', 
session_info=system_session(), credentials=creds, lp=lp)
domain_dn = samdb.domain_dn()
print domain_dn
DNSName = samdb.host_dns_name()
print DNSName
res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
expression=("(&(objectClass=computer)(dNSHostName=%s)(userAccountControl:%s:=%u))"
                                 % (DNSName, ldb.OID_COMPARATOR_AND, 
dsdb.UF_SERVER_TRUST_ACCOUNT)),
                                 attrs=["objectGUID"])
GUID=str(ndr_unpack(misc.GUID, res[0].get("objectGUID", idx=0)))
print GUID


The only strange thing is, that the above snippet works the same until 
samdb.search if I set AUTO_USE_KERBEROS too, but search fails with:
_ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: 
Operation unavailable without authentication> <>')

Cheers

Geza Gemes

More information about the samba-technical mailing list