Use of kerberos in python samdb script

Andrew Bartlett abartlet at samba.org
Sun May 12 13:53:36 MDT 2013 

On Sun, 2013-05-12 at 16:57 +0200, Gémes Géza wrote:
> 2013-05-12 14:03 keltezéssel, William Brown írta:
> >>>> Trying to use your example in a test script like:
> >>>>
> >>>> lp = LoadParm()
> >>>> lp.load ( '/dev/null' )
> >>>> lp.set( 'netbios name', 'KZSDABAS' )
> >>>> creds = Credentials ()
> >>>> creds.set_username( 'geza' )
> >>> Don't set the username.  Doing so makes us ignore any credentials cache
> >>> from the environment, because we see you forcing a specific username.
> >>>
> >>> That's actually because you didn't set the password, but did set the
> >>> username.  I agree that segfaults are not quite the right error return,
> >>> but this happens because you didn't call guess(), which would fill in
> >>> the defaults.
> >>>
> >>> Andrew Bartlett
> >> lp = LoadParm()
> >> creds = Credentials()
> >> creds.guess(lp)
> >> creds.set_kerberos_state(MUST_USE_KERBEROS)
> >> samdb = SamDB(url='ldap://dc0.kzsdabas.hu',
> >> session_info=system_session(), credentials=creds, lp=lp)
> >> domain_dn = samdb.domain_dn()
> >> print domain_dn
> >> DNSName = samdb.host_dns_name()
> >> print DNSName
> >> res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
> >> expression=("(&(objectClass=computer)(dNSHostName=%s)(userAccountControl:%s:
> >> =%u))" % (DNSName, ldb.OID_COMPARATOR_AND, dsdb.UF_SERVER_TRUST_ACCOUNT)),
> >>                                   attrs=["objectGUID"])
> >> GUID=str(ndr_unpack(misc.GUID, res[0].get("objectGUID", idx=0)))
> >> print GUID
> >>
> >>
> >> The only strange thing is, that the above snippet works the same until
> >> samdb.search if I set AUTO_USE_KERBEROS too, but search fails with:
> >> _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
> >> Operation unavailable without authentication> <>')
> >>
> >> Cheers
> >>
> >> Geza Gemes
> > With MUST_USE_KERBEROS I get:
> >
> > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> > Failed to connect to 'ldap://lillie.ad.example.com' with backend 'ldap':
> > (null)
> > Traceback (most recent call last):
> >    File "ldbexample.py", line 18, in <module>
> >      samdb = SamDB(url='ldap://lillie.ad.example.com',
> > session_info=system_session(), credentials=creds, lp=lp)
> >    File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
> > 56, in __init__
> >      options=options)
> >    File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
> > line 114, in __init__
> >      self.connect(url, flags, options)
> >    File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
> > 71, in connect
> >      options=options)
> > _ldb.LdbError: (1, None)
> >
> >
> > With AUTO_USE_KERBEROS I get:
> >
> >
> > Traceback (most recent call last):
> >    File "ldbexample.py", line 23, in <module>
> >      res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
> > expression='(cn=William)', attrs=["cn", "uid", "gid"] )
> > _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Operation
> > unavailable without authentication> <>')
> >
> > My script is:
> >
> >
> > import sys
> > sys.path.append('/usr/local/samba/lib64/python2.7/site-packages')
> >
> > from samba.samdb import SamDB
> > from samba import ldb
> > from samba.param import LoadParm
> > from samba.auth import system_session
> > from samba.credentials import Credentials, AUTO_USE_KERBEROS,
> > MUST_USE_KERBEROS
> >
> > lp = LoadParm()
> > creds = Credentials()
> > creds.guess(lp)
> > creds.set_kerberos_state(MUST_USE_KERBEROS)
> >
> > samdb = SamDB(url='ldap://lillie.ad.example.com',
> > session_info=system_session(), credentials=creds, lp=lp)
> >
> > print(samdb.domain_dn())
> >
> > res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
> > expression='(cn=William)', attrs=["cn", "uid", "gid"] )
> > print(dir(res))
> >
> >
> >
> >
> > The site packages here is pointing at my 4.0.5 install btw. Again, I have
> > checked that with ldapsearch -Y GSSAPI I have a valid and working krb5 ticket.
> > Setting the script to be the following has no effect on the outcome:
> >
> > lp = LoadParm()
> > lp.load('/dev/null')
> >
> >
> > Any further ideas would be welcome.
> >
> I'm out of ideas, your script (adapted to my domain) works for me (on 
> debian wheezy).

Is the change possibly that you dropped the set_username() (which is
required to be removed)?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list