Why do I get a failed to connect to LDAP URL when using Samba's Ldb Python module?

Andrew Bartlett abartlet at samba.org
Sun Aug 16 22:23:11 UTC 2015


On Sun, 2015-08-16 at 07:43 -0700, Richard Sharpe wrote:
> On Sun, Aug 16, 2015 at 1:47 AM, Rowland Penny <
> repenny241155 at gmail.com> wrote:
> > On 15/08/15 22:52, Richard Sharpe wrote:
> > > 
> > > On Sat, Aug 15, 2015 at 2:32 PM, Rowland Penny <
> > > repenny241155 at gmail.com>
> > > wrote:
> > > > 
> > > > On 15/08/15 21:40, Richard Sharpe wrote:
> > > > > 
> > > > > On Sat, Aug 15, 2015 at 10:33 AM, Richard Sharpe
> > > > > <realrichardsharpe at gmail.com> wrote:
> > > > > > 
> > > > > > On Fri, Aug 14, 2015 at 11:01 PM, Andrew Bartlett <
> > > > > > abartlet at samba.org>
> > > > > > wrote:
> > > > > > > 
> > > > > > > On Fri, 2015-08-14 at 15:36 -0700, Richard Sharpe wrote:
> > > > > > > > 
> > > > > > > > On Fri, Aug 14, 2015 at 1:59 PM, Richard Sharpe
> > > > > > > > <realrichardsharpe at gmail.com> wrote:
> > > > > > > > > 
> > > > > > > > > Hi folks,
> > > > > > > > > 
> > > > > > > > > I just got this:
> > > > > > > > > 
> > > > > > > > >      >>> from samba import Ldb
> > > > > > > > >      >>> ldb_obj =
> > > > > > > > > Ldb('ldap://drtnasdcprod01.xxxx.yyyy.eng.someorg.com'
> > > > > > > > > ,
> > > > > > > > > credentials=creds)
> > > > > > > > >      Failed to connect to ldap URL
> > > > > > > > > 'ldap://drtnasdcprod01.xxxx.yyyy.eng.someorg.com' - 
> > > > > > > > > LDAP client
> > > > > > > > > internal error: NT_STATUS_BAD_NETWORK_NAME
> > > > > > > > >      Failed to connect to
> > > > > > > > > 'ldap://drtnasdcprod01.xxxx.yyyy.eng.someorg.com' 
> > > > > > > > > with backend
> > > > > > > > > 'ldap':(null)
> > > > > > > > >      Traceback (most recent call last):
> > > > > > > > >        File "<stdin>", line 1, in <module>
> > > > > > > > >        File "/usr/lib64/python2.6/site
> > > > > > > > > -packages/samba/__init__.py",
> > > > > > > > > line
> > > > > > > > > 114, in __init__
> > > > > > > > >           self.connect(url, flags, options)
> > > > > > > > >      _ldb.LdbError: (1, None)
> > > > > > > > > 
> > > > > > > > > It looked so easy ... but wasn't.
> > > > > > > > > 
> > > > > > > > > What have I done wrong?
> > > > > > > > 
> > > > > > > > OK, I seem to have made some progress on this:
> > > > > > > > 
> > > > > > > >      >>> from samba.credentials import 
> > > > > > > > DONT_USE_KERBEROS
> > > > > > > >      >>> creds = Credentials()
> > > > > > > >      >>> creds.set_kerberos_state(DONT_USE_KERBEROS)
> > > > > > > >      >>> creds.set_username('administrator')
> > > > > > > >      >>> creds.set_password("some-pass")
> > > > > > > >      >>> creds.set_forced_sasl_mech("EXTERNAL")
> > > > > > > 
> > > > > > > You probably don't want this line.
> > > > > > > 
> > > > > > > >      >>> ldb_obj = Ldb("ldap://10.4.45.1", 
> > > > > > > > credentials=creds)
> > > > > > 
> > > > > > Well, except that when I use the dns name I get
> > > > > > NT_STATUS_BAD_NETWORK_NAME.
> > > > > > 
> > > > > > Then I tried this:
> > > > > > 
> > > > > > > > > from samba import param
> > > > > > > > > lp = param.LoadParm()
> > > > > > > > > lp.load('/dev/null')
> > > > > > > > > from samba.credentials import Credentials
> > > > > > > > > from samba import Ldb
> > > > > > > > > creds=Credentials()
> > > > > > > > > creds.set_username('administrator')
> > > > > > 
> > > > > > True
> > > > > > > > > 
> > > > > > > > > creds.set_password('the-real-password')
> > > > > > 
> > > > > > True
> > > > > > > > > 
> > > > > > > > > ldb_obj=Ldb('ldap://10.4.45.1', lp=lp, 
> > > > > > > > > credentials=creds)
> > > > > > 
> > > > > > Segmentation fault
> > > > > > 
> > > > > > Not very inspiring. I will try to figure out how to do it.
> > > > > 
> > > > > OK, after some time with gdb I now have something that works:
> > > > > 
> > > > >      from samba.credentials import Credentials
> > > > >      from samba import param
> > > > >      lp = param.LoadParm()
> > > > >      lp.load("/dev/null")
> > > > >      creds=Credentials()
> > > > >      creds.set_username('administrator')
> > > > >      creds.set_password('the-real-password')
> > > > >      creds.set_domain('WORKGROUP')
> > > > >      creds.set_workstation('RICHARD')
> > > > >      from samba import Ldb
> > > > >      ldb_obj=Ldb('ldap://10.4.45.1', lp=lp, 
> > > > > credentials=creds)
> > > > >      res=ldb_obj.search(expression='cn=filer-srathi')
> > > > >      m = res[0]
> > > > >      print "SPNS:"
> > > > >      for name in m["servicePrincipalName"]:
> > > > >          print name
> > > > >      if 'computer' in m["objectClass"]:
> > > > >         print "Is a computer"
> > > > > 
> > > > > This is nice. It would be even nicer if things like
> > > > > m["servicePrincipalName"] returned a list although I guess I 
> > > > > can
> > > > > convert it to a list really easily.
> > > > > 
> > > > > 
> > > > er, now I accept that I am an idiot, but why are you trying to 
> > > > re-invent
> > > > the
> > > > wheel ? :-P
> > > 
> > > I was looking for a minimal way to determine if a machine account
> > > exists in a domain. The SPN list is simply a by-product of that.
> > > 
> > > As it turns out, using python-ldap seems easier than using 
> > > Samba's
> > > python libraries because it requires installing less stuff on 
> > > nodes
> > > that do not want to be burdened by Samba.
> > > 
> > > 
> > > > Have you thought of examining 'class cmd_spn_list(Command):' 
> > > > from spn.py
> > > > (part of samba-tool) ?
> > > 
> > > I will look at it  ...
> > > 
> > 
> > OK, so you want a minimalistic way to check for a computer in AD 
> > and return
> > the SPNs. How about installing ldap-utils (one package) and running 
> > this in
> > a terminal:
> > 
> > ldapsearch -H ldap://dc1.example.com -b 
> > "cn=Computers,dc=example,dc=com" -D
> > Administrator at EXAMPLE.COM -w xxxxxxxxxxxx -L cn=thinkpad | grep
> > 'servicePrincipalName'
> > 
> > Of course, you would need to alter it to match your setup, if it 
> > returns
> > anything, the computer exists and what it returns is all the SPNs
> 
> What I probably failed to say, but implied in earlier comments, is
> that we use a lot of Python, so something that takes, say 8 lines of
> Python is preferred over something that requires running an external
> command.

Ideally the logic parts of the samba-tool commands, where sensible,
should become methods on python/samba/samdb.py and therefore easily
accessed from your scripts and our tools.

It also makes these things much easier to unit test.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba








More information about the samba-technical mailing list