Use of kerberos in python samdb script

William Brown william.e.brown at adelaide.edu.au
Sun May 12 06:03:46 MDT 2013 

> >> 
> >> Trying to use your example in a test script like:
> >> 
> >> lp = LoadParm()
> >> lp.load ( '/dev/null' )
> >> lp.set( 'netbios name', 'KZSDABAS' )
> >> creds = Credentials ()
> >> creds.set_username( 'geza' )
> > 
> > Don't set the username.  Doing so makes us ignore any credentials cache
> > from the environment, because we see you forcing a specific username.
> > 
> > That's actually because you didn't set the password, but did set the
> > username.  I agree that segfaults are not quite the right error return,
> > but this happens because you didn't call guess(), which would fill in
> > the defaults.
> > 
> > Andrew Bartlett
> 
> lp = LoadParm()
> creds = Credentials()
> creds.guess(lp)
> creds.set_kerberos_state(MUST_USE_KERBEROS)
> samdb = SamDB(url='ldap://dc0.kzsdabas.hu',
> session_info=system_session(), credentials=creds, lp=lp)
> domain_dn = samdb.domain_dn()
> print domain_dn
> DNSName = samdb.host_dns_name()
> print DNSName
> res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
> expression=("(&(objectClass=computer)(dNSHostName=%s)(userAccountControl:%s:
> =%u))" % (DNSName, ldb.OID_COMPARATOR_AND, dsdb.UF_SERVER_TRUST_ACCOUNT)),
>                                  attrs=["objectGUID"])
> GUID=str(ndr_unpack(misc.GUID, res[0].get("objectGUID", idx=0)))
> print GUID
> 
> 
> The only strange thing is, that the above snippet works the same until
> samdb.search if I set AUTO_USE_KERBEROS too, but search fails with:
> _ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020:
> Operation unavailable without authentication> <>')
> 
> Cheers
> 
> Geza Gemes

With MUST_USE_KERBEROS I get:

Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://lillie.ad.example.com' with backend 'ldap': 
(null)
Traceback (most recent call last):
  File "ldbexample.py", line 18, in <module>
    samdb = SamDB(url='ldap://lillie.ad.example.com', 
session_info=system_session(), credentials=creds, lp=lp)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 
56, in __init__
    options=options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", 
line 114, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 
71, in connect
    options=options)
_ldb.LdbError: (1, None)


With AUTO_USE_KERBEROS I get:


Traceback (most recent call last):
  File "ldbexample.py", line 23, in <module>
    res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE, 
expression='(cn=William)', attrs=["cn", "uid", "gid"] )
_ldb.LdbError: (1, 'LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: Operation 
unavailable without authentication> <>')

My script is:


import sys
sys.path.append('/usr/local/samba/lib64/python2.7/site-packages')

from samba.samdb import SamDB
from samba import ldb
from samba.param import LoadParm
from samba.auth import system_session
from samba.credentials import Credentials, AUTO_USE_KERBEROS, 
MUST_USE_KERBEROS

lp = LoadParm()
creds = Credentials()
creds.guess(lp)
creds.set_kerberos_state(MUST_USE_KERBEROS)

samdb = SamDB(url='ldap://lillie.ad.example.com', 
session_info=system_session(), credentials=creds, lp=lp)

print(samdb.domain_dn())

res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE, 
expression='(cn=William)', attrs=["cn", "uid", "gid"] )
print(dir(res))




The site packages here is pointing at my 4.0.5 install btw. Again, I have 
checked that with ldapsearch -Y GSSAPI I have a valid and working krb5 ticket. 
Setting the script to be the following has no effect on the outcome:

lp = LoadParm()
lp.load('/dev/null')


Any further ideas would be welcome. 

-- 
Sincerely,

William Brown

Research & Teaching, Technology Services
The University of Adelaide, AUSTRALIA 5005

CRICOS Provider Number 00123M
-----------------------------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all
copies and advise the sender. For the purposes of the SPAM Act 2003,
this
email is authorised by The University of Adelaide.

pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 876 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130512/a5264bda/attachment.pgp>

More information about the samba-technical mailing list