[Samba] "00002020: Operation unavailable without authentication" using python-ldap

Rowland Penny rpenny at samba.org
Sun Apr 7 08:24:20 UTC 2019

On Sun, 7 Apr 2019 00:41:23 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:

> Thanks for the example, Rowland.

Whilst it was an example, it was actual code lifted from Samba's user.py

If you run 'samba-tool user list' on a DC, it is the actual code that
is run.

> Does ldb work against remote servers as well?  I thought it was only
> for local, file-based access.

Yes it does work on the wire, you can use samba-tool with the '-H' or
'--URL=url' options.

For instance 'sudo samba-tool user list -H ldap://dc4' run on a Unix
domain member will list all users in AD.

> In general, I just wanted to use my Samba AD as an environment to
> learn more about writing software against using LDAP. There are a few
> applications I'm planning to develop, and I'd like to use actual LDAP
> so they could be applicable to Samba or Microsoft AD servers.

Can I suggest you examine the Samba source code, if you download the
latest tarball:

Extract and open it, you will find a directory called 'python'

> I added some more information on the GitHub issue (
> https://github.com/python-ldap/python-ldap/issues/275); it looks like
> there is some sort of nasty race condition, because while the LDAP
> search usually fails, it will work if I start an asynchronous search
> without waiting on it.
> I'm not sure if the problem lies in Samba's LDAP server, the
> python-gitlab library, or somewhere in between (possibly in the SASL
> or GSSAPI code). I'm still looking into it, but I wanted to see if
> anyone here had ever seen anything similar.

This is probably a python-ldap problem, but if you use ldbsearch etc,
kerberos does work. The syntax is slightly different from ldapsearch,
see 'ldbsearch --help' and:



More information about the samba mailing list