[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Jonathon Reinhart
jonathon.reinhart at gmail.com
Sun Apr 7 04:41:23 UTC 2019
Thanks for the example, Rowland.
Does ldb work against remote servers as well? I thought it was only for
local, file-based access.
In general, I just wanted to use my Samba AD as an environment to learn
more about writing software against using LDAP. There are a few
applications I'm planning to develop, and I'd like to use actual LDAP so
they could be applicable to Samba or Microsoft AD servers.
I added some more information on the GitHub issue (
https://github.com/python-ldap/python-ldap/issues/275); it looks like there
is some sort of nasty race condition, because while the LDAP search usually
fails, it will work if I start an asynchronous search without waiting on it.
I'm not sure if the problem lies in Samba's LDAP server, the python-gitlab
library, or somewhere in between (possibly in the SASL or GSSAPI code). I'm
still looking into it, but I wanted to see if anyone here had ever seen
anything similar.
Thanks,
Jonathon Reinhart
On Sat, Apr 6, 2019, 08:56 Rowland Penny via samba <samba at lists.samba.org>
wrote:
> On Sat, 6 Apr 2019 04:52:38 -0400
> Jonathon Reinhart via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I'm writing in regards to this issue I opened on GitHub:
> > https://github.com/python-ldap/python-ldap/issues/275
> >
> > I am able to successfully use ldapsearch to query my Samba
> > 4.9.4-Debian DC:
> >
> > ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b
> > "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName"
> >
> > However, when I try to use python-ldap I get this error:
> >
> > 00002020: Operation unavailable without authentication
> >
> > I've traced ldapsearch and python using ltrace, and both seem to be
> > making the same calls (ldap_sasl_interactive_bind_s and
> > ldap_search_ext) and passing the same parameters.
> >
> > This feels like a bug in python-ldap, but I've been tracing this for
> > hours and can't find anything which indicates that. I set my samba
> > "log level" to 10 and grabbed a snapshot right around this query, but
> > it's still 1.4M. In there, I do see this:
> >
> > ldb: ldb_trace_response: DONE
> > error: 1
> > msg: Operation unavailable without authentication
> >
> > Am I missing something? Am I barking up the wrong tree?
>
> It might help if you explain just what you are trying to do ;-)
>
> Samba generally use 'ldb' to work with the AD database, for instance to
> list users:
>
> class cmd_user_list(Command):
> """List all users."""
>
> synopsis = "%prog [options]"
>
> takes_options = [
> Option("-H", "--URL", help="LDB URL for database or target
> server", type=str,
> metavar="URL", dest="H"),
> ]
>
> takes_optiongroups = {
> "sambaopts": options.SambaOptions,
> "credopts": options.CredentialsOptions,
> "versionopts": options.VersionOptions,
> }
>
> def run(self, sambaopts=None, credopts=None, versionopts=None, H=None):
> lp = sambaopts.get_loadparm()
> creds = credopts.get_credentials(lp, fallback_machine=True)
>
> samdb = SamDB(url=H, session_info=system_session(),
> credentials=creds, lp=lp)
>
> domain_dn = samdb.domain_dn()
> res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
>
> expression=("(&(objectClass=user)(userAccountControl:%s:=%u))"
> % (ldb.OID_COMPARATOR_AND,
> dsdb.UF_NORMAL_ACCOUNT)),
> attrs=["samaccountname"])
> if (len(res) == 0):
> return
>
> for msg in res:
> self.outf.write("%s\n" % msg.get("samaccountname", idx=0))
>
> You may just be trying to reinvent the wheel ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list