[Samba] "00002020: Operation unavailable without authentication" using python-ldap

Rowland Penny rpenny at samba.org
Sun Apr 7 18:16:32 UTC 2019 

On Sun, 7 Apr 2019 13:45:11 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:

> Interesting, I'm getting the same error using the LDB tools:
> 
> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> ldap://localhost

Does the DC use itself as its first nameserver in /etc/resolv.conf ?
if it does, it should work without authentication:

root at dc4:~# samba-tool user list -H ldap://localhost
testuser
groupuser2
User27
.......
....
...

> ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost
> -b 'dc=ad,dc=onthefive,dc=com'
> search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> Operation unavailable without authentication> <>

Listing users should work on a DC or a Unix domain member, but it must
be done as root (or using sudo) and for Unix domain members, you must
use a DC's shorthostname instead of localhost.

> 
> 
> Prior to this, I did a fresh kdestroy / kinit.
> 
> It happens also on another Linux box. (Not yet "joined", but had a
> TGT for jreinhart-admin):
> 
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication
> 
> 
> $ kinit Administrator at AD.ONTHEFIVE.COM
> Password for Administrator at AD.ONTHEFIVE.COM:
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication

Did you run 'samba-tool user list --help' ? and if so did you miss:

  Credentials Options:
    --simple-bind-dn=DN
                        DN to use for a simple bind
    --password=PASSWORD
                        Password
    -U USERNAME, --username=USERNAME
                        Username
    -W WORKGROUP, --workgroup=WORKGROUP
                        Workgroup
    -N, --no-pass       Don't ask for a password
    -k KERBEROS, --kerberos=KERBEROS
                        Use Kerberos
    --ipaddress=IPADDRESS
                        IP address of server
    -P, --machine-pass  Use stored machine account password
    --krb5-ccache=KRB5CCNAME
                        Kerberos Credentials cache

Try it as a normal user on a Unix domain member, kinit as the user, then
run this:

samba-tool user list -H ldap://samba-dc3 -k yes

> For reference, here is my smb.conf:
> 
> # Global parameters
> [global]
>     dns forwarder = 10.0.1.1
>     netbios name = SAMBA-DC3
>     realm = AD.ONTHEFIVE.COM
>     server role = active directory domain controller
>     workgroup = ONTHEFIVE
>     # Winbind settings
>     idmap_ldb:use rfc2307 = yes
>     template shell = /bin/bash
>     template homedir = /home/%D/%U

You might as well remove the line above, it is the default.

>     kerberos method = system keytab

Please don't use the line above, it stops you using secrets.tdb

Rowland

More information about the samba mailing list