Use of kerberos in python samdb script

Gémes Géza geza at kzsdabas.hu
Sun May 12 13:06:16 MDT 2013


2013-05-12 14:03 keltezéssel, William Brown írta:
>>>> Trying to use your example in a test script like:
>>>>
>>>> lp = LoadParm()
>>>> lp.load ( '/dev/null' )
>>>> lp.set( 'netbios name', 'KZSDABAS' )
>>>> creds = Credentials ()
>>>> creds.set_username( 'geza' )
>>> Don't set the username.  Doing so makes us ignore any credentials cache
>>> from the environment, because we see you forcing a specific username.
>>>
>>> That's actually because you didn't set the password, but did set the
>>> username.  I agree that segfaults are not quite the right error return,
>>> but this happens because you didn't call guess(), which would fill in
>>> the defaults.
>>>
>>> Andrew Bartlett
>> lp = LoadParm()
>> creds = Credentials()
>> creds.guess(lp)
>> creds.set_kerberos_state(MUST_USE_KERBEROS)
>> samdb = SamDB(url='ldap://dc0.kzsdabas.hu',
>> session_info=system_session(), credentials=creds, lp=lp)
>> domain_dn = samdb.domain_dn()
>> print domain_dn
>> DNSName = samdb.host_dns_name()
>> print DNSName
>> res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
>> expression=("(&(objectClass=computer)(dNSHostName=%s)(userAccountControl:%s:
>> =%u))" % (DNSName, ldb.OID_COMPARATOR_AND, dsdb.UF_SERVER_TRUST_ACCOUNT)),
>>                                   attrs=["objectGUID"])
>> GUID=str(ndr_unpack(misc.GUID, res[0].get("objectGUID", idx=0)))
>> print GUID
>>
>>
>> The only strange thing is, that the above snippet works the same until
>> samdb.search if I set AUTO_USE_KERBEROS too, but search fails with:
>> _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
>> Operation unavailable without authentication> <>')
>>
>> Cheers
>>
>> Geza Gemes
> With MUST_USE_KERBEROS I get:
>
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://lillie.ad.example.com' with backend 'ldap':
> (null)
> Traceback (most recent call last):
>    File "ldbexample.py", line 18, in <module>
>      samdb = SamDB(url='ldap://lillie.ad.example.com',
> session_info=system_session(), credentials=creds, lp=lp)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
> 56, in __init__
>      options=options)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
> line 114, in __init__
>      self.connect(url, flags, options)
>    File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
> 71, in connect
>      options=options)
> _ldb.LdbError: (1, None)
>
>
> With AUTO_USE_KERBEROS I get:
>
>
> Traceback (most recent call last):
>    File "ldbexample.py", line 23, in <module>
>      res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
> expression='(cn=William)', attrs=["cn", "uid", "gid"] )
> _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Operation
> unavailable without authentication> <>')
>
> My script is:
>
>
> import sys
> sys.path.append('/usr/local/samba/lib64/python2.7/site-packages')
>
> from samba.samdb import SamDB
> from samba import ldb
> from samba.param import LoadParm
> from samba.auth import system_session
> from samba.credentials import Credentials, AUTO_USE_KERBEROS,
> MUST_USE_KERBEROS
>
> lp = LoadParm()
> creds = Credentials()
> creds.guess(lp)
> creds.set_kerberos_state(MUST_USE_KERBEROS)
>
> samdb = SamDB(url='ldap://lillie.ad.example.com',
> session_info=system_session(), credentials=creds, lp=lp)
>
> print(samdb.domain_dn())
>
> res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
> expression='(cn=William)', attrs=["cn", "uid", "gid"] )
> print(dir(res))
>
>
>
>
> The site packages here is pointing at my 4.0.5 install btw. Again, I have
> checked that with ldapsearch -Y GSSAPI I have a valid and working krb5 ticket.
> Setting the script to be the following has no effect on the outcome:
>
> lp = LoadParm()
> lp.load('/dev/null')
>
>
> Any further ideas would be welcome.
>
One more idea: please try to change 
sys.path.append('/usr/local/samba/lib64/python2.7/site-packages') into 
sys.path.insert(0,'/usr/local/samba/lib64/python2.7/site-packages')
just in case you have samba packages of different origin around.

Regards

Geza Gemes


More information about the samba-technical mailing list