[Samba] ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication

Quirin Maier quirin.maier at googlemail.com
Thu Sep 3 21:25:58 UTC 2015 

2015-09-01 23:39 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 01/09/15 21:59, Quirin Maier wrote:
>
>> Hi,
>>
>> I'd like to use ldbadd with kerberos authentication using samba
>> 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being
>> processed. Executing...
>>
>> kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab
>>
>> root at dc01:/# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at INTERNAL.DOMAIN.TLD
>>
>> Valid starting     Expires            Service principal
>> 09/01/15 20:36:16  09/02/15 06:36:16
>>   krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>> renew until 09/02/15 20:36:16
>>
>> root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF
>> dn: CN=Groups,DC=internal,DC=domain,DC=tld
>> objectClass: container
>> objectClass: top
>> cn: Groups
>> objectCategory:
>> CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld
>> description: Default container for upgraded group accounts
>> EOF
>>
>> results in:
>> ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
>> Operation unavailable without authentication> <>" on DN
>> CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6
>>
>> Anybody else who has the same problem? Or could somebody enlighten me,
>> what
>> I'm doing wrong here?
>>
>> btw: ldbadd -U DOMAIN/User%password ... works.
>>
>> Thanks in advance for any hint.
>>
>> Regards
>>
>
> OK, firstly I would create a user to use with ldb-tools instead of using
> Administrator:
>
> samba-tool user create admin --random-password --description="Unprivileged
> user for ldb-tools"
>
> Next, set user to not expire:
>
> samba-tool user setexpiry admin --noexpiry
>
> You now need to export the users keytab:
>
> samba-tool domain exportkeytab /etc/admin.keytab --principal=admin
>
> Now you have the keytab you can now run kinit and create the ticket cache:
>
> kinit -F -k -t /etc/admin.keytab -c /tmp/krb5cc_admin admin at UREALM #
> <--change 'UREALM' to your uppercase realm name
>
> finally you can run run ldbadd command:
>
> ldbadd ldap://localhost --kerberos=yes --krb5-ccache=/tmp/krb5cc_admin <<
> EOF
> ......
>
>
> HTH
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


Hi Rowland,

I've tried your solution, but unfortunately I received same error again :-(

ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
Operation unavailable without authentication> <>" on DN
CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6

@all: anybody out there on debian jessie with sernet samba packages 4.2.3,
who could try Rowland's solution and give feedback?

Quirin

More information about the samba mailing list