[Samba] Searching samba ldap without authentication

Jean-François Morcillo jfmorcillo at mandriva.com
Mon Feb 2 04:01:00 MST 2015

Le 02/02/2015 10:59, Rowland Penny a écrit :
> On 02/02/15 09:04, Jean-François Morcillo wrote:
>> Hello,
>> I'm writing a set of python scripts that need to consult samba ldap
>> database without authentication.
>> I've set up 2 machines, the first as PDC, the second as BDC.
>> I run my scripts on both and while they run fine on the PDC they end
>> with error on the BDC.
>> Here is the minimal example that behave this way:
>> import ldap
>> LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi"
>> l = ldap.initialize(LDAP_URI, trace_level=1)
>> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE)
>> print(entries)
>> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation
>> unavailable without authentication', 'desc': 'Operations error'}
>> What is very disturbing is that the equivalent using the ldapsearch
>> command works well (ldapsearch -x -H
>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b
>> dc=mon,dc=dom).
>> I've straced all commands (I could provide the log if required)
>> basically here what they showed :
>> -There is nearly no difference (nothing significant) between the traces
>> of the scripts on the PDC and the DBC.
>> -The diff between the trace of the script and the trace of the command
>> line tool shows this:
>>      - on both side: connect(3, {sa_family=AF_LOCAL,
>> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0
>>      - then later, only in the script trace: connect(4,
>> {sa_family=AF_INET, sin_port=htons(53),
>> sin_addr=inet_addr("")}, 16) = 0
>> So the reason for the script to end with an error is that it tries to
>> connect to the PDC while the command line tool does not do this.
>> The question is why do they behave differently and most important how to
>> make my script work?
>> I've been stuck with this for more than two days so I would really
>> appreciate help.
>> Regards,
> Hi, just what are you trying to do? why use ldapi ?

I need to monitor the db and sometimes write to it.

> If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will
> get most of the AD objects, but this will only work on the DC, you
> will need to authenticate if you try it from another computer.

My scripts are run locally, I don't need to interact with another computer.
I think I can't use /var/lib/samba/private/sam.ldb, as far as I
understand I won't be able to modify, for example, the properties of users.

> Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's'

Why do you say I don't have a 'PDC' and a 'BDC?
Do you mean I have misconfigured them or that the distinction is useless?
in the first case I would say : I've setup the PDC using the 'samba-tool
domain provision <params>' and I've setup the BDC using 'samba-tool
domain join <params>'
in the second case I would say that this is the sole difference I see
that could explain the different behaviour, that why I talked about it.

> Rowland

- no title specified


More information about the samba mailing list