Use of kerberos in python samdb script

Gémes Géza geza at kzsdabas.hu
Sun May 12 02:45:28 MDT 2013 

2013-05-12 07:57 keltezéssel, Alexander Bokovoy írta:
> Hi,
>
> On Sun, May 12, 2013 at 3:13 AM, William Brown <
> william.e.brown at adelaide.edu.au> wrote:
>
>> Hi,
>>
>> I am attempting to write a python script using the samba.samdb SamDB
>> module. I
>> am attempting to authenticate via kerberos with this.
>>
>> My script is:
>>
>> #WARNING - This requires you to erase samba-python and samba-dc on
>> fedora!!!!
>> import sys
>> sys.path.append('/opt/samba4/lib64/python2.7/site-packages')
>>
>> from samba.samdb import SamDB
>> from samba import ldb
>> from samba.param import LoadParm
>> from samba.auth import system_session
>> from samba.credentials import Credentials, AUTO_USE_KERBEROS,
>> MUST_USE_KERBEROS
>>
>> import getpass
>>
>> lp = LoadParm()
>> creds = Credentials()
>> creds.guess(lp)
>> creds.set_username('william')
>> creds.set_kerberos_state(AUTO_USE_KERBEROS)
>> #creds.set_password(getpass.getpass('Samba password #'))
>>
> Credentials object makes its decision based on LoadParm content. Some of
> functions LoadParm uses internally make Credentials to believe smb.conf
> values were overridden from command line and always resort to use password.
> This is, in particular related to workgroup and realm values. Easiest way
> is to have empty smb.conf as LoadParm. Here is what I use in FreeIPA's code:
> ....
>              self._parm = param.LoadParm()
>
> self._parm.load(os.path.join(ipautil.SHARE_DIR,"smb.conf.empty"))
>              self._parm.set('netbios name', self.flatname)
>              self._creds = credentials.Credentials()
>              self._creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
>              self._creds.guess(self._parm)
>              self._creds.set_workstation(self.flatname)
>
>
Trying to use your example in a test script like:

lp = LoadParm()
lp.load ( '/dev/null' )
lp.set( 'netbios name', 'KZSDABAS' )
creds = Credentials ()
creds.set_username( 'geza' )
creds.set_kerberos_state( MUST_USE_KERBEROS )
samdb = SamDB ( url='ldap://dc0.kzsdabas.hu', 
session_info=system_session(), credentials=creds, lp=lp )

yields:

Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc0.kzsdabas.hu' with backend 'ldap': (null)
Traceback (most recent call last):
   File "/tmp/test.py", line 58, in <module>
     samdb = SamDB(url='ldap://dc0.kzsdabas.hu', 
session_info=system_session(), credentials=creds, lp=lp)
   File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", 
line 56, in __init__
     options=options)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 
114, in __init__
     self.connect(url, flags, options)
   File "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", 
line 71, in connect
     options=options)
_ldb.LdbError: (1, None)

The same script with MUST_USE_KERBEROS changed into AUTO_USE_KERBEROS 
gives a segmentation fault when it tries to read from /dev/urandom,
strace gives:
open("/dev/urandom", O_RDONLY)          = 5
fcntl(5, F_GETFD)                       = 0
fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
read(5, "N\371\"=\212\226\253\220`\353\234\266c\375F\361", 16) = 16
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

More information about the samba-technical mailing list