[Samba] Searching samba ldap without authentication

[Rowland Penny]

On 02/02/15 11:01, Jean-François Morcillo wrote:
> Le 02/02/2015 10:59, Rowland Penny a écrit :
>> On 02/02/15 09:04, Jean-François Morcillo wrote:
>>> Hello,
>>>
>>> I'm writing a set of python scripts that need to consult samba ldap
>>> database without authentication.
>>> I've set up 2 machines, the first as PDC, the second as BDC.
>>> I run my scripts on both and while they run fine on the PDC they end
>>> with error on the BDC.
>>> Here is the minimal example that behave this way:
>>>
>>> import ldap
>>> LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi"
>>>
>>> l = ldap.initialize(LDAP_URI, trace_level=1)
>>> entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE)
>>> print(entries)
>>>
>>> it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation
>>> unavailable without authentication', 'desc': 'Operations error'}
>>>
>>>
>>> What is very disturbing is that the equivalent using the ldapsearch
>>> command works well (ldapsearch -x -H
>>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b
>>> dc=mon,dc=dom).
>>>
>>> I've straced all commands (I could provide the log if required)
>>> basically here what they showed :
>>> -There is nearly no difference (nothing significant) between the traces
>>> of the scripts on the PDC and the DBC.
>>> -The diff between the trace of the script and the trace of the command
>>> line tool shows this:
>>>       - on both side: connect(3, {sa_family=AF_LOCAL,
>>> sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0
>>>       - then later, only in the script trace: connect(4,
>>> {sa_family=AF_INET, sin_port=htons(53),
>>> sin_addr=inet_addr("192.168.100.2")}, 16) = 0
>>>
>>> So the reason for the script to end with an error is that it tries to
>>> connect to the PDC while the command line tool does not do this.
>>> The question is why do they behave differently and most important how to
>>> make my script work?
>>> I've been stuck with this for more than two days so I would really
>>> appreciate help.
>>>
>>> Regards,
>>>
>> Hi, just what are you trying to do? why use ldapi ?
> I need to monitor the db and sometimes write to it.
>
>> If you use 'ldbsearch -H /var/lib/samba/private/sam.ldb' , you will
>> get most of the AD objects, but this will only work on the DC, you
>> will need to authenticate if you try it from another computer.
> My scripts are run locally, I don't need to interact with another computer.
> I think I can't use /var/lib/samba/private/sam.ldb, as far as I
> understand I won't be able to modify, for example, the properties of users.

Well, seeing as all the user properties are stored in sam.ldb and 
*everybody* else modifies this when needed, leads me to believe that you 
need to go and do a lot more reading on samba4 in AD mode, the samba 
wiki would be a good place to start.

 From your email address, I have a sinking feeling that Mandriva has 
arrived at the Samba4 party :-D

>
>> Also, you do not have a 'PDC' and a 'BDC', you just have 2 'DC's'
> Why do you say I don't have a 'PDC' and a 'BDC?
> Do you mean I have misconfigured them or that the distinction is useless?
> in the first case I would say : I've setup the PDC using the 'samba-tool
> domain provision <params>' and I've setup the BDC using 'samba-tool
> domain join <params>'
> in the second case I would say that this is the sole difference I see
> that could explain the different behaviour, that why I talked about it.
>

OK,
PDC = NT4 style domain controller
BDC = NT4 style backup domain controller

Provisioning Samba4  with samba-tool = AD DC
joining Samba4 to another AD DC with samba-tool = another AD DC

Apart from the FSMO roles, *all* AD DC's are equal. Please do not refer 
to your AD DC's as NT4 PDC's or NT4 BDC's, this will only lead to confusion.

Rowland