[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Jonathon Reinhart
jonathon.reinhart at gmail.com
Sun Apr 7 17:45:11 UTC 2019
Interesting, I'm getting the same error using the LDB tools:
ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
ldap://localhost
ERROR(ldb): uncaught exception - LDAP error 1 LDAP_OPERATIONS_ERROR -
<00002020: Operation unavailable without authentication> <>
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
177, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 533,
in run
attrs=["samaccountname"])
ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost -b
'dc=ad,dc=onthefive,dc=com'
search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: Operation
unavailable without authentication> <>
Prior to this, I did a fresh kdestroy / kinit.
It happens also on another Linux box. (Not yet "joined", but had a TGT for
jreinhart-admin):
$ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
search error - 00002020: Operation unavailable without authentication
$ kinit Administrator at AD.ONTHEFIVE.COM
Password for Administrator at AD.ONTHEFIVE.COM:
$ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
search error - 00002020: Operation unavailable without authentication
For reference, here is my smb.conf:
# Global parameters
[global]
dns forwarder = 10.0.1.1
netbios name = SAMBA-DC3
realm = AD.ONTHEFIVE.COM
server role = active directory domain controller
workgroup = ONTHEFIVE
# Winbind settings
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%D/%U
kerberos method = system keytab
#log level = 10
[netlogon]
path = /var/lib/samba/sysvol/ad.onthefive.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
On Sun, Apr 7, 2019 at 4:25 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 7 Apr 2019 00:41:23 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Thanks for the example, Rowland.
>
> Whilst it was an example, it was actual code lifted from Samba's user.py
>
> If you run 'samba-tool user list' on a DC, it is the actual code that
> is run.
>
> >
> > Does ldb work against remote servers as well? I thought it was only
> > for local, file-based access.
>
> Yes it does work on the wire, you can use samba-tool with the '-H' or
> '--URL=url' options.
>
> For instance 'sudo samba-tool user list -H ldap://dc4' run on a Unix
> domain member will list all users in AD.
>
> >
> > In general, I just wanted to use my Samba AD as an environment to
> > learn more about writing software against using LDAP. There are a few
> > applications I'm planning to develop, and I'd like to use actual LDAP
> > so they could be applicable to Samba or Microsoft AD servers.
>
> Can I suggest you examine the Samba source code, if you download the
> latest tarball:
> https://download.samba.org/pub/samba/stable/samba-4.10.1.tar.gz
>
> Extract and open it, you will find a directory called 'python'
>
> >
> > I added some more information on the GitHub issue (
> > https://github.com/python-ldap/python-ldap/issues/275); it looks like
> > there is some sort of nasty race condition, because while the LDAP
> > search usually fails, it will work if I start an asynchronous search
> > without waiting on it.
> >
> > I'm not sure if the problem lies in Samba's LDAP server, the
> > python-gitlab library, or somewhere in between (possibly in the SASL
> > or GSSAPI code). I'm still looking into it, but I wanted to see if
> > anyone here had ever seen anything similar.
>
> This is probably a python-ldap problem, but if you use ldbsearch etc,
> kerberos does work. The syntax is slightly different from ldapsearch,
> see 'ldbsearch --help' and:
>
> https://wiki.samba.org/index.php/LDB
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list