[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Rowland Penny
rpenny at samba.org
Sun Apr 7 18:16:32 UTC 2019
On Sun, 7 Apr 2019 13:45:11 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
> Interesting, I'm getting the same error using the LDB tools:
>
> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> ldap://localhost
Does the DC use itself as its first nameserver in /etc/resolv.conf ?
if it does, it should work without authentication:
root at dc4:~# samba-tool user list -H ldap://localhost
testuser
groupuser2
User27
.......
....
...
> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost
> -b 'dc=ad,dc=onthefive,dc=com'
> search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
> Operation unavailable without authentication> <>
Listing users should work on a DC or a Unix domain member, but it must
be done as root (or using sudo) and for Unix domain members, you must
use a DC's shorthostname instead of localhost.
>
>
> Prior to this, I did a fresh kdestroy / kinit.
>
> It happens also on another Linux box. (Not yet "joined", but had a
> TGT for jreinhart-admin):
>
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication
>
>
> $ kinit Administrator at AD.ONTHEFIVE.COM
> Password for Administrator at AD.ONTHEFIVE.COM:
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication
Did you run 'samba-tool user list --help' ? and if so did you miss:
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
Try it as a normal user on a Unix domain member, kinit as the user, then
run this:
samba-tool user list -H ldap://samba-dc3 -k yes
> For reference, here is my smb.conf:
>
> # Global parameters
> [global]
> dns forwarder = 10.0.1.1
> netbios name = SAMBA-DC3
> realm = AD.ONTHEFIVE.COM
> server role = active directory domain controller
> workgroup = ONTHEFIVE
> # Winbind settings
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash
> template homedir = /home/%D/%U
You might as well remove the line above, it is the default.
> kerberos method = system keytab
Please don't use the line above, it stops you using secrets.tdb
Rowland
More information about the samba
mailing list