Use of kerberos in python samdb script

Gémes Géza geza at kzsdabas.hu
Sun May 12 16:32:37 MDT 2013 

2013-05-12 21:53 keltezéssel, Andrew Bartlett írta:
> On Sun, 2013-05-12 at 16:57 +0200, Gémes Géza wrote:
>> 2013-05-12 14:03 keltezéssel, William Brown írta:
>>>>>> Trying to use your example in a test script like:
>>>>>>
>>>>>> lp = LoadParm()
>>>>>> lp.load ( '/dev/null' )
>>>>>> lp.set( 'netbios name', 'KZSDABAS' )
>>>>>> creds = Credentials ()
>>>>>> creds.set_username( 'geza' )
>>>>> Don't set the username.  Doing so makes us ignore any credentials cache
>>>>> from the environment, because we see you forcing a specific username.
>>>>>
>>>>> That's actually because you didn't set the password, but did set the
>>>>> username.  I agree that segfaults are not quite the right error return,
>>>>> but this happens because you didn't call guess(), which would fill in
>>>>> the defaults.
>>>>>
>>>>> Andrew Bartlett
>>>> lp = LoadParm()
>>>> creds = Credentials()
>>>> creds.guess(lp)
>>>> creds.set_kerberos_state(MUST_USE_KERBEROS)
>>>> samdb = SamDB(url='ldap://dc0.kzsdabas.hu',
>>>> session_info=system_session(), credentials=creds, lp=lp)
>>>> domain_dn = samdb.domain_dn()
>>>> print domain_dn
>>>> DNSName = samdb.host_dns_name()
>>>> print DNSName
>>>> res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
>>>> expression=("(&(objectClass=computer)(dNSHostName=%s)(userAccountControl:%s:
>>>> =%u))" % (DNSName, ldb.OID_COMPARATOR_AND, dsdb.UF_SERVER_TRUST_ACCOUNT)),
>>>>                                    attrs=["objectGUID"])
>>>> GUID=str(ndr_unpack(misc.GUID, res[0].get("objectGUID", idx=0)))
>>>> print GUID
>>>>
>>>>
>>>> The only strange thing is, that the above snippet works the same until
>>>> samdb.search if I set AUTO_USE_KERBEROS too, but search fails with:
>>>> _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
>>>> Operation unavailable without authentication> <>')
>>>>
>>>> Cheers
>>>>
>>>> Geza Gemes
>>> With MUST_USE_KERBEROS I get:
>>>
>>> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>>> Failed to connect to 'ldap://lillie.ad.example.com' with backend 'ldap':
>>> (null)
>>> Traceback (most recent call last):
>>>     File "ldbexample.py", line 18, in <module>
>>>       samdb = SamDB(url='ldap://lillie.ad.example.com',
>>> session_info=system_session(), credentials=creds, lp=lp)
>>>     File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
>>> 56, in __init__
>>>       options=options)
>>>     File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
>>> line 114, in __init__
>>>       self.connect(url, flags, options)
>>>     File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
>>> 71, in connect
>>>       options=options)
>>> _ldb.LdbError: (1, None)
>>>
>>>
>>> With AUTO_USE_KERBEROS I get:
>>>
>>>
>>> Traceback (most recent call last):
>>>     File "ldbexample.py", line 23, in <module>
>>>       res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
>>> expression='(cn=William)', attrs=["cn", "uid", "gid"] )
>>> _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Operation
>>> unavailable without authentication> <>')
>>>
>>> My script is:
>>>
>>>
>>> import sys
>>> sys.path.append('/usr/local/samba/lib64/python2.7/site-packages')
>>>
>>> from samba.samdb import SamDB
>>> from samba import ldb
>>> from samba.param import LoadParm
>>> from samba.auth import system_session
>>> from samba.credentials import Credentials, AUTO_USE_KERBEROS,
>>> MUST_USE_KERBEROS
>>>
>>> lp = LoadParm()
>>> creds = Credentials()
>>> creds.guess(lp)
>>> creds.set_kerberos_state(MUST_USE_KERBEROS)
>>>
>>> samdb = SamDB(url='ldap://lillie.ad.example.com',
>>> session_info=system_session(), credentials=creds, lp=lp)
>>>
>>> print(samdb.domain_dn())
>>>
>>> res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
>>> expression='(cn=William)', attrs=["cn", "uid", "gid"] )
>>> print(dir(res))
>>>
>>>
>>>
>>>
>>> The site packages here is pointing at my 4.0.5 install btw. Again, I have
>>> checked that with ldapsearch -Y GSSAPI I have a valid and working krb5 ticket.
>>> Setting the script to be the following has no effect on the outcome:
>>>
>>> lp = LoadParm()
>>> lp.load('/dev/null')
>>>
>>>
>>> Any further ideas would be welcome.
>>>
>> I'm out of ideas, your script (adapted to my domain) works for me (on
>> debian wheezy).
> Is the change possibly that you dropped the set_username() (which is
> required to be removed)?
>
> Andrew Bartlett
>
Williams script doesn't have set_username either, it is working with my 
domain (on debian wheezy) and not with his, the only thing I could think 
is that he has multiple samba python libs in his PYTHONPATH.

Regards

Geza Gemes

More information about the samba-technical mailing list