[Samba] Searching samba ldap without authentication

Rowland Penny rowlandpenny at googlemail.com
Mon Feb 2 02:59:41 MST 2015 

On 02/02/15 09:04, Jean-François Morcillo wrote:
> Hello,
>
> I'm writing a set of python scripts that need to consult samba ldap
> database without authentication.
> I've set up 2 machines, the first as PDC, the second as BDC.
> I run my scripts on both and while they run fine on the PDC they end
> with error on the BDC.
> Here is the minimal example that behave this way:
>
> import ldap
> LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi"
>
> l = ldap.initialize(LDAP_URI, trace_level=1)
> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE)
> print(entries)
>
> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation
> unavailable without authentication', 'desc': 'Operations error'}
>
>
> What is very disturbing is that the equivalent using the ldapsearch
> command works well (ldapsearch -x -H
> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b
> dc=mon,dc=dom).
>
> I've straced all commands (I could provide the log if required)
> basically here what they showed :
> -There is nearly no difference (nothing significant) between the traces
> of the scripts on the PDC and the DBC.
> -The diff between the trace of the script and the trace of the command
> line tool shows this:
>      - on both side: connect(3, {sa_family=AF_LOCAL,
> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0
>      - then later, only in the script trace: connect(4,
> {sa_family=AF_INET, sin_port=htons(53),
> sin_addr=inet_addr("192.168.100.2")}, 16) = 0
>
> So the reason for the script to end with an error is that it tries to
> connect to the PDC while the command line tool does not do this.
> The question is why do they behave differently and most important how to
> make my script work?
> I've been stuck with this for more than two days so I would really
> appreciate help.
>
> Regards,
>

Hi, just what are you trying to do? why use ldapi ?

If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will get 
most of the AD objects, but this will only work on the DC, you will need 
to authenticate if you try it from another computer.

Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's'

Rowland

More information about the samba mailing list