Use of kerberos in python samdb script
William Brown
william.e.brown at adelaide.edu.au
Sat May 11 18:13:30 MDT 2013
Hi,
I am attempting to write a python script using the samba.samdb SamDB module. I
am attempting to authenticate via kerberos with this.
My script is:
#WARNING - This requires you to erase samba-python and samba-dc on fedora!!!!
import sys
sys.path.append('/opt/samba4/lib64/python2.7/site-packages')
from samba.samdb import SamDB
from samba import ldb
from samba.param import LoadParm
from samba.auth import system_session
from samba.credentials import Credentials, AUTO_USE_KERBEROS,
MUST_USE_KERBEROS
import getpass
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
creds.set_username('william')
creds.set_kerberos_state(AUTO_USE_KERBEROS)
#creds.set_password(getpass.getpass('Samba password #'))
#samdb = SamDB(url='ldap://lillie.example.com', session_info=system_session(),
credentials=creds, lp=lp)
samdb = SamDB(url='ldap://lillie.ad.example.com',
session_info=system_session(), credentials=creds, lp=lp)
#l = Ldb(url='ldap://lillie.ad.example.com', session_info=system_session(),
credentials=creds, lp=lp)
res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression='(cn=William)', attrs=["cn", "uid", "gid"] )
using the creds.set_password function works as expected, and I am able to get
results from the search.
However, using the set_kerberos_state does not work. I am greeted by:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <SASL:[GSS-SPNEGO]:
NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://lillie.ad.example.com' with backend 'ldap':
(null)
Traceback (most recent call last):
File "ldbexample.py", line 21, in <module>
samdb = SamDB(url='ldap://lillie.ad.example.com',
session_info=system_session(), credentials=creds, lp=lp)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
56, in __init__
options=options)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py",
line 114, in __init__
self.connect(url, flags, options)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line
71, in connect
options=options)
_ldb.LdbError: (1, None)
I can correctly verify I have a krb5 ticket that is valid:
Ticket cache: DIR::/run/user/2000/krb5cc/tkt8FKOCB
Default principal: william at AD.EXAMPLE.COM
Valid starting Expires Service principal
05/12/13 08:48:19 05/12/13 18:48:19 krbtgt/AD.EXAMPLE.COM at AD.EXAMPLE.COM
renew until 05/13/13 08:48:19
Using this ticket I can correctly query the domain with ldapsearch. Thus, the
ticket and environment definitely work with krb5.
ldapsearch -Y GSSAPI
Any ideas on what is going wrong here?
--
Sincerely,
William Brown
Research & Teaching, Technology Services
The University of Adelaide, AUSTRALIA 5005
CRICOS Provider Number 00123M
-----------------------------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all
copies and advise the sender. For the purposes of the SPAM Act 2003,
this
email is authorised by The University of Adelaide.
pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 876 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130512/5cf32e97/attachment.pgp>
More information about the samba-technical
mailing list