Web lists-archives.com

Re: [Samba] "00002020: Operation unavailable without authentication" using python-ldap

On Sun, 7 Apr 2019 13:45:11 -0400
Jonathon Reinhart <jonathon.reinhart@xxxxxxxxx> wrote:

> Interesting, I'm getting the same error using the LDB tools:
> ONTHEFIVE\jreinhart-admin@samba-dc3:~$ samba-tool user list -H
> ldap://localhost

Does the DC use itself as its first nameserver in /etc/resolv.conf ?
if it does, it should work without authentication:

root@dc4:~# samba-tool user list -H ldap://localhost

> ONTHEFIVE\jreinhart-admin@samba-dc3:~$ ldbsearch -H ldap://localhost
> -b 'dc=ad,dc=onthefive,dc=com'
> search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> Operation unavailable without authentication> <>

Listing users should work on a DC or a Unix domain member, but it must
be done as root (or using sudo) and for Unix domain members, you must
use a DC's shorthostname instead of localhost.

> Prior to this, I did a fresh kdestroy / kinit.
> It happens also on another Linux box. (Not yet "joined", but had a
> TGT for jreinhart-admin):
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication
> $ kinit Administrator@xxxxxxxxxxxxxxxx
> Password for Administrator@xxxxxxxxxxxxxxxx:
> $ ldbsearch -H ldap://samba-dc3.ad.onthefive.com
> search error - 00002020: Operation unavailable without authentication

Did you run 'samba-tool user list --help' ? and if so did you miss:

  Credentials Options:
                        DN to use for a simple bind
    -U USERNAME, --username=USERNAME
    -W WORKGROUP, --workgroup=WORKGROUP
    -N, --no-pass       Don't ask for a password
    -k KERBEROS, --kerberos=KERBEROS
                        Use Kerberos
                        IP address of server
    -P, --machine-pass  Use stored machine account password
                        Kerberos Credentials cache

Try it as a normal user on a Unix domain member, kinit as the user, then
run this:

samba-tool user list -H ldap://samba-dc3 -k yes

> For reference, here is my smb.conf:
> # Global parameters
> [global]
>     dns forwarder =
>     netbios name = SAMBA-DC3
>     realm = AD.ONTHEFIVE.COM
>     server role = active directory domain controller
>     workgroup = ONTHEFIVE
>     # Winbind settings
>     idmap_ldb:use rfc2307 = yes
>     template shell = /bin/bash
>     template homedir = /home/%D/%U

You might as well remove the line above, it is the default.

>     kerberos method = system keytab

Please don't use the line above, it stops you using secrets.tdb


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba