Web lists-archives.com

Re: [Samba] "00002020: Operation unavailable without authentication" using python-ldap

On Sat, 6 Apr 2019 04:52:38 -0400
Jonathon Reinhart via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> I'm writing in regards to this issue I opened on GitHub:
> https://github.com/python-ldap/python-ldap/issues/275
> I am able to successfully use ldapsearch to query my Samba
> 4.9.4-Debian DC:
> ldapsearch -LLL -Y GSSAPI -H ldap://samba-dc.ad.example.com -b
> "dc=ad,dc=example,dc=com" "(objectClass=user)" "sAMAccountName"
> However, when I try to use python-ldap I get this error:
>     00002020: Operation unavailable without authentication
> I've traced ldapsearch and python using ltrace, and both seem to be
> making the same calls (ldap_sasl_interactive_bind_s and
> ldap_search_ext) and passing the same parameters.
> This feels like a bug in python-ldap, but I've been tracing this for
> hours and can't find anything which indicates that. I set my samba
> "log level" to 10 and grabbed a snapshot right around this query, but
> it's still 1.4M. In there, I do see this:
>   ldb: ldb_trace_response: DONE
>   error: 1
>   msg: Operation unavailable without authentication
> Am I missing something? Am I barking up the wrong tree?

It might help if you explain just what you are trying to do ;-)

Samba generally use 'ldb' to work with the AD database, for instance to
list users:

class cmd_user_list(Command):
    """List all users."""

    synopsis = "%prog [options]"

    takes_options = [
        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
               metavar="URL", dest="H"),

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "credopts": options.CredentialsOptions,
        "versionopts": options.VersionOptions,

    def run(self, sambaopts=None, credopts=None, versionopts=None, H=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp, fallback_machine=True)

        samdb = SamDB(url=H, session_info=system_session(),
                      credentials=creds, lp=lp)

        domain_dn = samdb.domain_dn()
        res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
                                       % (ldb.OID_COMPARATOR_AND, dsdb.UF_NORMAL_ACCOUNT)),
        if (len(res) == 0):

        for msg in res:
            self.outf.write("%s\n" % msg.get("samaccountname", idx=0))

You may just be trying to reinvent the wheel ;-)


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba