[Samba] Using samba-python to query AD? Status of API?
infractory at gmail.com
Fri Nov 6 09:10:17 UTC 2015
If your goal is to avoid finding by yourself one DC to contact you can aim
your AD domain rather than aiming a DC, this because DNS returns all DC
when requesting AD domain entry.
host -t A samba.domain.tld
samba.domain.tld has address 10.16.48.16
samba.domain.tld has address 10.16.48.17
samba.domain.tld has address 10.16.48.18
So, first you create your Kerberos ticket using kinit:
kinit -t /path/to/youruser.keytab -k youruser
And then you run ldapsearch using GSSAPI and domain:
ldapsearch -H ldap://samba.domain.tld -Y GSSAPI objectCategory=person dn
I replaced "objectClass" used in your search by "objectCategory" to return
only users and not computers and added "dn sAMAccountName" to not retrieve
all fields (as an example).
2015-11-05 19:19 GMT+01:00 pisymbol . <pisymbol at gmail.com>:
> On Thu, Nov 5, 2015 at 11:41 AM, Rowland Penny
> <rowlandpenny241155 at gmail.com> wrote:
> > On 05/11/15 16:38, pisymbol . wrote:
> >> On Thu, Nov 5, 2015 at 10:06 AM, Rowland Penny
> >> <rowlandpenny241155 at gmail.com> wrote:
> >>> On 05/11/15 14:59, pisymbol . wrote:
> >>>> On Wed, Nov 4, 2015 at 4:44 PM, Rowland Penny
> >>>> <rowlandpenny241155 at gmail.com> wrote:
> >>>>> Ah, you want to search AD with python, as in 'ldbsearch -H
> >>>>> /usr/local/samba/private/sam.ldb' (this will dump the AD database)
> >>>>> You will find lots of 'examples' in the python 'samba' directory that
> >>>>> an
> >>>>> install of a samba DC creates, these are used by samba-tool, well
> >>>>> actually,
> >>>>> they are samba-tool :-)
> >>>> No, I don't want to dump the LDB, I want to query an actual Windows DC
> >>>> (same as 'net ads search' command).
> >>> That was just an example, but why are you asking on a Samba mailing
> >>> for
> >>> information on howto query a windows DC??
> >>> You can use ldbsearch or ldapsearch for this, or use windows tools
> from a
> >>> windows machine.
> >> Yes, I understand all that. But the 'net ads search' wrapper is a lot
> >> nicer than the openldap clients.
> >> But perhaps you're right, maybe OpenLDAP is indeed what I really want
> >> and are a bit misguided by leveraging 'net ads search' stuff out of
> >> the samba tools so heavily.
> >> -aps
> > It might help if you explained just what you are trying to achieve, you
> > be trying to re-invent the wheel.
> Again, I am just trying to query an existing Windows DC. For example,
> let's say I want to dump all person objects from the FOO domain. I can
> setup smb.conf and kerberos on a Linux machine to act as a client (I
> don't even have to join provided I have creds) so I can do something
> like this:
> net ads search -U Administrator at FOO objectClass=person
> This of course can be accomplished using ldapsearch etc. But samba
> supplies the net command which offers the same thing but includes
> automatic DC detection, etc.
> I thought because there was a Python netcmd class, it might include
> similar functionality.
> Anyway, thanks for the tips, I still have to get around and look at
> the source mathias suggested previously. I may just stick with forking
> it and parsing string output.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba