Why do I get a failed to connect to LDAP URL when using Samba's Ldb Python module?

Richard Sharpe realrichardsharpe at gmail.com
Sun Aug 16 14:43:06 UTC 2015 

On Sun, Aug 16, 2015 at 1:47 AM, Rowland Penny <repenny241155 at gmail.com> wrote:
> On 15/08/15 22:52, Richard Sharpe wrote:
>>
>> On Sat, Aug 15, 2015 at 2:32 PM, Rowland Penny <repenny241155 at gmail.com>
>> wrote:
>>>
>>> On 15/08/15 21:40, Richard Sharpe wrote:
>>>>
>>>> On Sat, Aug 15, 2015 at 10:33 AM, Richard Sharpe
>>>> <realrichardsharpe at gmail.com> wrote:
>>>>>
>>>>> On Fri, Aug 14, 2015 at 11:01 PM, Andrew Bartlett <abartlet at samba.org>
>>>>> wrote:
>>>>>>
>>>>>> On Fri, 2015-08-14 at 15:36 -0700, Richard Sharpe wrote:
>>>>>>>
>>>>>>> On Fri, Aug 14, 2015 at 1:59 PM, Richard Sharpe
>>>>>>> <realrichardsharpe at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi folks,
>>>>>>>>
>>>>>>>> I just got this:
>>>>>>>>
>>>>>>>>      >>> from samba import Ldb
>>>>>>>>      >>> ldb_obj =
>>>>>>>> Ldb('ldap://drtnasdcprod01.xxxx.yyyy.eng.someorg.com',
>>>>>>>> credentials=creds)
>>>>>>>>      Failed to connect to ldap URL
>>>>>>>> 'ldap://drtnasdcprod01.xxxx.yyyy.eng.someorg.com' - LDAP client
>>>>>>>> internal error: NT_STATUS_BAD_NETWORK_NAME
>>>>>>>>      Failed to connect to
>>>>>>>> 'ldap://drtnasdcprod01.xxxx.yyyy.eng.someorg.com' with backend
>>>>>>>> 'ldap':(null)
>>>>>>>>      Traceback (most recent call last):
>>>>>>>>        File "<stdin>", line 1, in <module>
>>>>>>>>        File "/usr/lib64/python2.6/site-packages/samba/__init__.py",
>>>>>>>> line
>>>>>>>> 114, in __init__
>>>>>>>>           self.connect(url, flags, options)
>>>>>>>>      _ldb.LdbError: (1, None)
>>>>>>>>
>>>>>>>> It looked so easy ... but wasn't.
>>>>>>>>
>>>>>>>> What have I done wrong?
>>>>>>>
>>>>>>> OK, I seem to have made some progress on this:
>>>>>>>
>>>>>>>      >>> from samba.credentials import DONT_USE_KERBEROS
>>>>>>>      >>> creds = Credentials()
>>>>>>>      >>> creds.set_kerberos_state(DONT_USE_KERBEROS)
>>>>>>>      >>> creds.set_username('administrator')
>>>>>>>      >>> creds.set_password("some-pass")
>>>>>>>      >>> creds.set_forced_sasl_mech("EXTERNAL")
>>>>>>
>>>>>> You probably don't want this line.
>>>>>>
>>>>>>>      >>> ldb_obj = Ldb("ldap://10.4.45.1", credentials=creds)
>>>>>
>>>>> Well, except that when I use the dns name I get
>>>>> NT_STATUS_BAD_NETWORK_NAME.
>>>>>
>>>>> Then I tried this:
>>>>>
>>>>>>>> from samba import param
>>>>>>>> lp = param.LoadParm()
>>>>>>>> lp.load('/dev/null')
>>>>>>>> from samba.credentials import Credentials
>>>>>>>> from samba import Ldb
>>>>>>>> creds=Credentials()
>>>>>>>> creds.set_username('administrator')
>>>>>
>>>>> True
>>>>>>>>
>>>>>>>> creds.set_password('the-real-password')
>>>>>
>>>>> True
>>>>>>>>
>>>>>>>> ldb_obj=Ldb('ldap://10.4.45.1', lp=lp, credentials=creds)
>>>>>
>>>>> Segmentation fault
>>>>>
>>>>> Not very inspiring. I will try to figure out how to do it.
>>>>
>>>> OK, after some time with gdb I now have something that works:
>>>>
>>>>      from samba.credentials import Credentials
>>>>      from samba import param
>>>>      lp = param.LoadParm()
>>>>      lp.load("/dev/null")
>>>>      creds=Credentials()
>>>>      creds.set_username('administrator')
>>>>      creds.set_password('the-real-password')
>>>>      creds.set_domain('WORKGROUP')
>>>>      creds.set_workstation('RICHARD')
>>>>      from samba import Ldb
>>>>      ldb_obj=Ldb('ldap://10.4.45.1', lp=lp, credentials=creds)
>>>>      res=ldb_obj.search(expression='cn=filer-srathi')
>>>>      m = res[0]
>>>>      print "SPNS:"
>>>>      for name in m["servicePrincipalName"]:
>>>>          print name
>>>>      if 'computer' in m["objectClass"]:
>>>>         print "Is a computer"
>>>>
>>>> This is nice. It would be even nicer if things like
>>>> m["servicePrincipalName"] returned a list although I guess I can
>>>> convert it to a list really easily.
>>>>
>>>>
>>> er, now I accept that I am an idiot, but why are you trying to re-invent
>>> the
>>> wheel ? :-P
>>
>> I was looking for a minimal way to determine if a machine account
>> exists in a domain. The SPN list is simply a by-product of that.
>>
>> As it turns out, using python-ldap seems easier than using Samba's
>> python libraries because it requires installing less stuff on nodes
>> that do not want to be burdened by Samba.
>>
>>
>>> Have you thought of examining 'class cmd_spn_list(Command):' from spn.py
>>> (part of samba-tool) ?
>>
>> I will look at it  ...
>>
>
> OK, so you want a minimalistic way to check for a computer in AD and return
> the SPNs. How about installing ldap-utils (one package) and running this in
> a terminal:
>
> ldapsearch -H ldap://dc1.example.com -b "cn=Computers,dc=example,dc=com" -D
> Administrator at EXAMPLE.COM -w xxxxxxxxxxxx -L cn=thinkpad | grep
> 'servicePrincipalName'
>
> Of course, you would need to alter it to match your setup, if it returns
> anything, the computer exists and what it returns is all the SPNs

What I probably failed to say, but implied in earlier comments, is
that we use a lot of Python, so something that takes, say 8 lines of
Python is preferred over something that requires running an external
command.

In this case, python-ldap is very useful because there are other
things we want to query ...

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list