3

So I understand the concept of binding to a LDAP server of any kind and performing either authenticated or anonymous queries.

And my goal is to get the full dn=...dc=example,dc=com for a specific user.

And I know I've set up my samba4 as a AD controller in a way that it shouldn't allow anonymous queries/bindings.

What surprises me is that ldbsearch differs from ldapsearch (OpenLDAP's client application) in a way that, it doesn't support authentication?

So my basic query looks like:

# ldbsearch -H ldap://127.0.0.1 -b "DC=example,DC=com" "(CN=usernameHere)"
search error - 00002020: Operation unavailable without authentication

Now this is done on the AD controller, and I'm sure you could point out to the .db file containing all the accounts and what not, but I would prefer to be able to do this remotely via smb:// or ldap://.

I've also tried smb:// just for the sake of it:

Unable to find backend for 'smb://127.0.0.1' - do you need to set LDB_MODULES_PATH?

Further more, I've tried using kerberos tickets in order to perhaps see if ldbsearch could pick that up and use that as authentication:

# kinit [email protected]
Password for [email protected]: 
Warning: Your password will expire in 26 days on Wed 06 Jul 2016 09:27:36 PM CEST

ldbsearch still gives me the exact same error.
So how do you go about perfoming searches on your domain with samba4?

I should add that the following command works:

# ldbsearch -H ldap://127.0.0.1 -s base -b "" defaultNamingContext

# record 1
dn: 
defaultNamingContext: DC=example,DC=com

# returned 1 records
# 1 entries
# 0 referrals
Torxed
  • 3,567
  • 7
  • 27
  • 44

1 Answers1

1

Try to add the -U option with the right username, and optionally the password:

ldbsearch -H ldap://127.0.0.1 -s sub -b 'DC=example,DC=com' -U Administrator%YourPassword

or, to not leave the password in the command history, use the -A option with a file containing the username and password:

ldbsearch -H ldap://127.0.0.1 -s sub -b 'DC=example,DC=com' -A My_Auth_File

The file "My_Auth_File" would contain for example:

username=Administrator
password=My-Admin-password

Unfortunately, man ldbsearch doesn't show all possible options. ldbsearch --usage shows many more:

ldbsearch --usage

Usage: [-?viraSNPeV] [-?|--help] [--usage] [-H|--url=URL] [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE] [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive] [--modules-path=PATH] [--num-searches=INT] [--num-records=INT] [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION] [--controls=STRING] [--show-binary] [--paged] [--show-deleted] [--show-recycled] [--show-deactivated-link] [--reveal] [--relax] [--cross-ncs] [--extended-dn] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign] [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS]

And ldbsearch --help shows them in a much more readable way with a short description.

(this is with Samba 4.9.5 on Debian 10.11)

mivk
  • 3,446
  • 29
  • 31
  • Thank you for answering this. I know it's been five years since I've posted this and I rarely use Active Directory any more. So without even questioning this, I will assume that you as a strange on the internet have tested this and it works - there for I'll mark your answer as correct : ) – Torxed Nov 18 '21 at 13:16
  • 1
    @Torxed: I also use AD as rarely as possible ... :-) but I needed it yesterday, so came across this old post when I also had trouble with that. – mivk Nov 18 '21 at 15:42