[Samba] "00002020: Operation unavailable without authentication" using python-ldap
Jonathon Reinhart
jonathon.reinhart at gmail.com
Sun Apr 7 21:34:11 UTC 2019
On Sun, Apr 7, 2019 at 2:17 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
> On Sun, 7 Apr 2019 13:45:11 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Interesting, I'm getting the same error using the LDB tools:
> >
> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ samba-tool user list -H
> > ldap://localhost
>
> Does the DC use itself as its first nameserver in /etc/resolv.conf ?
> if it does, it should work without authentication:
>
> root at dc4:~# samba-tool user list -H ldap://localhost
> testuser
> groupuser2
> User27
> .......
> ....
> ...
Yes, the DC uses only "nameserver 127.0.0.1". As root, that command works.
> > ONTHEFIVE\jreinhart-admin at samba-dc3:~$ ldbsearch -H ldap://localhost
> > -b 'dc=ad,dc=onthefive,dc=com'
> > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
> > Operation unavailable without authentication> <>
>
> Listing users should work on a DC or a Unix domain member, but it must
> be done as root (or using sudo) and for Unix domain members, you must
> use a DC's shorthostname instead of localhost.
>
> >
> >
> > Prior to this, I did a fresh kdestroy / kinit.
> >
> > It happens also on another Linux box. (Not yet "joined", but had a
> > TGT for jreinhart-admin):
> >
> > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> > search error - 00002020: Operation unavailable without authentication
> >
> >
> > $ kinit Administrator at AD.ONTHEFIVE.COM
> > Password for Administrator at AD.ONTHEFIVE.COM:
> > $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> > search error - 00002020: Operation unavailable without authentication
>
> Did you run 'samba-tool user list --help' ? and if so did you miss:
>
> Credentials Options:
> --simple-bind-dn=DN
> DN to use for a simple bind
> --password=PASSWORD
> Password
> -U USERNAME, --username=USERNAME
> Username
> -W WORKGROUP, --workgroup=WORKGROUP
> Workgroup
> -N, --no-pass Don't ask for a password
> -k KERBEROS, --kerberos=KERBEROS
> Use Kerberos
> --ipaddress=IPADDRESS
> IP address of server
> -P, --machine-pass Use stored machine account password
> --krb5-ccache=KRB5CCNAME
> Kerberos Credentials cache
>
> Try it as a normal user on a Unix domain member, kinit as the user, then
> run this:
>
> samba-tool user list -H ldap://samba-dc3 -k yes
I don't yet have a Unix domain member to test. But on the DC (as non-root
user), passing "-k yes" to either samba-tool and ldbsearch works.
I also tried this from a non-joined Linux box, and that worked as well:
ldbsearch -k yes -H ldap://samba-dc3 -b 'dc=ad,dc=onthefive,dc=com'
>
> > For reference, here is my smb.conf:
> >
> > # Global parameters
> > [global]
> > dns forwarder = 10.0.1.1
> > netbios name = SAMBA-DC3
> > realm = AD.ONTHEFIVE.COM
> > server role = active directory domain controller
> > workgroup = ONTHEFIVE
> > # Winbind settings
> > idmap_ldb:use rfc2307 = yes
> > template shell = /bin/bash
> > template homedir = /home/%D/%U
>
> You might as well remove the line above, it is the default.
>
> > kerberos method = system keytab
>
> Please don't use the line above, it stops you using secrets.tdb
Okay thanks. I looked but couldn't find any recommendations on the "right"
choice for "kerberos method". I added this line (changing it from the
default) so I could SSH w/ Kerberos auth to the DC. I guess "secrets and
keytab" is the "right" choice then? Did I miss this, or should this be
expanded upon in the Wiki? What is the effect of not using secrets.tdb?
Thanks for setting me straight with the -k option.
However, I still have this issue with my Python LDAP tests. I had hoped
that "kerberos method = secrets and keytab" would make a difference, but it
did not. This issue occurs on three different machines, using python-ldap
3.1.0, 2.5.2, and pyldap (a fork), version 2.4.25.1.
I tried writing some standalone C code to replicate this, but I didn't
quite get it working. My next step might be to try some other
language/library that has GSSAPI support, but I'm getting stuck.
Any ideas how I might be able to go about proving this is python-ldap's
issue or Samba's? I might have to install a MS AD server for comparison.
Thanks,
Jonathon
More information about the samba
mailing list