Connecting to trusting domain in different forest

reach4bawer commented 2 years ago

How do I connect to a trusting domain in different forest? Is there any guidance around it?

I tried to connect to the trusting domain by providing the credentials of my base domain. My user account is created in "Domain_1" which is under "Master_Domain_1". I can authenticate to both these domains. I have Master_Domain_2 which is a separate forest that has "Domain_2" domain.

import bonsai
import configparser

bonsai.set_connect_async(False)

CACERT_FILE = "./Cert/cacerts.pem"

username = 'my_user'
password = 'SecretPassword#'

config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL']

client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_auto_page_acquire(True)

client.set_credentials("SIMPLE", user="CN="+username+"OU=Users,DC=DOMAIN_1,DC=com", password=password)

base = config['DOMAIN_1']['Base']

# bonsai.set_connect_async(False)

conn = client.connect()
query = "(&(objectClass=group)(SamAccountName=Domain Admins))"

list_of_attributes = ['*']
final_result = []

with client.connect() as conn:
    result = conn.paged_search(base=base, scope=2, filter_exp=query, attrlist=['*'], 
                               page_size=1000, attrsonly=False)
    for r in result:
        final_result.append(r)
    print(len(final_result))
    msgid = result.acquire_next_page()
    while msgid is not None:
        result = conn._evaluate(msgid)
        for r in result:
            final_result.append(r)
        msgid = result.acquire_next_page()

print(len(final_result))

This code is successful when I change the DOMAIN_1 to Master_Domain_1 as well. When I change the server_name to reference the Domain_2 or Master_Domain_2 (also changed the base variable) where I have bi-directional trust I am not able to authenticate and I get the following error for conn = client.connect()-

bonsai.errors.AuthenticationError: Invalid credentials. 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 (0x0031 [49])

The debug logs are -

DBG: ldapconnection_new [self:0x11790b760]
DBG: ldapconnection_init (self:0x11790b760)
DBG: ldapconnection_open (self:0x11790b760)
DBG: connecting (self:0x11790b760)
DBG: create_conn_info (mech:SIMPLE, sock:-1, creds:0x117905600)
DBG: ldapconnectiter_new [self:0x117916300]
DBG: create_init_thread_data (client:0x1178f6c40, sock:-1)
DBG: create_init_thread (ld:0x7fbba9ae51b0, info:0x7fbba9ae5b60, thread:0)
DBG: ldapconnection_result (self:0x11790b760, args:0x1162f0300, kwds:0x0)[msgid:-1]
DBG: LDAPConnection_Result (self:0x11790b760, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x117916300, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145512566784, timeout:-1, misc:0x7fbba9ae51b0)
DBG: ldap_init_thread_func (params:0x7fbba9ae51b0)
DBG: _pthread_mutex_timedlock
DBG: set connecting async: 0
DBG: ldap_init_thread_func [retval:0]
ldap_create
ldap_url_parse_ext(ldaps://domain_2.com:636)
DBG: set_certificates (self:0x117916300)
DBG: binding [state:3]
ldap_sasl_bind
DBG: _ldap_bind (ld:0x7fbba9a77110, info:0x7fbba9ae5b60, ppolicy:0, result:0x0, msgid:0)
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domain_2.com:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 10.210.21.193:636
ldap_pvt_connect: fd: 7 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 3, err: 0, subject: 
TLS certificate verification: depth: 2, err: 0, subject: 
TLS certificate verification: depth: 1, err: 0, subject: 
TLS certificate verification: depth: 0, err: 0, subject: 
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
ldap_open_defconn: successful
ldap_send_server_request
ldap_msgfree
DBG: LDAPConnectIter_Next (self:0x117916300, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_result ld 0x7fbba9a77110 msgid 1
wait4msg ld 0x7fbba9a77110 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fbba9a77110 msgid 1 all 1
** ld 0x7fbba9a77110 Connections:
* host: domain_2.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Aug 10 14:54:56 2021
** ld 0x7fbba9a77110 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fbba9a77110 request count 1 (abandoned 0)
** ld 0x7fbba9a77110 Response Queue:
   Empty
  ld 0x7fbba9a77110 response count 0
ldap_chkResponseList ld 0x7fbba9a77110 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fbba9a77110 NULL
ldap_int_select
read1msg: ld 0x7fbba9a77110 msgid 1 all 1
read1msg: ld 0x7fbba9a77110 msgid 1 message type bind
read1msg: ld 0x7fbba9a77110 0 new referrals
read1msg:  mark request completed, ld 0x7fbba9a77110 msgid 1
request done: ld 0x7fbba9a77110 msgid 1
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_err2string
DBG: ldapconnectiter_dealloc (self:0x117916300)
DBG: dealloc_conn_info (info:0x7fbba9ae5b60)
DBG: ldapconnection_dealloc (self:0x11790b520)
ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed

What should I do differently ? I kept the user identity to my original domain_1 id and password as I use the same to authenticate with Powershell. (but RSAT module code be doing something in the background)

reach4bawer commented 2 years ago

Is there a way bind to AD by generating token through Kerberos?

noirello commented 2 years ago

You can try using GSSAPI or GSS-SPNEGO SASL mechanisms instead of SIMPLE. But unfortunately, I have no experience with AD forests.

reach4bawer commented 2 years ago

@noirello Yes you are right. I tried GSSAPI using client.set_credentials("GSSAPI", user='user_sam_account_name', password=password, realm = 'domain.com') but I get error - bonsai.errors.LDAPError: Local error. SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (no credential for XXXXXXXX) (0xFFFE [-2]) I did kdestroy before running the command and checked if there were any tickets before and after running the python script. No tickets were generated.

noirello commented 2 years ago

Are you able to authenticate using kinit in command line? There's an example in the docs. If the ticket is valid for LDAP auth, bonsai should be able to use it.

reach4bawer commented 2 years ago

@noirello yes I am able to do that from command line but would that be not possible through the script and use that for the connection?

Also when I manually generate the ticket using the kinit command I get the following -

DBG: ldapconnection_new [self:0x104563d00]
DBG: ldapconnection_init (self:0x104563d00)
DBG: ldapconnection_open (self:0x104563d00)
DBG: connecting (self:0x104563d00)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:0x104748dc0)
DBG: ldapconnectiter_new [self:0x10474bb20]
DBG: create_init_thread_data (client:0x10453bc70, sock:-1)
DBG: create_init_thread (ld:0x7fa9eacdeea0, info:0x7fa9eacfb3e0, thread:0)
DBG: ldapconnection_result (self:0x104563d00, args:0x104566f80, kwds:0x0)[msgid:-1]
DBG: LDAPConnection_Result (self:0x104563d00, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145473105920, timeout:-1, misc:0x7fa9eacdeea0)
DBG: _pthread_mutex_timedlock
DBG: ldap_init_thread_func (params:0x7fa9eacdeea0)
DBG: set connecting async: 0
DBG: ldap_init_thread_func [retval:0]
ldap_create
ldap_url_parse_ext(ldaps://domain.com:636)
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145473105920, timeout:-1, misc:0x7fa9eacdeea0)
DBG: _pthread_mutex_timedlock
DBG: set_certificates (self:0x10474bb20)
DBG: binding [state:3]
ldap_sasl_interactive_bind: user selected: GSSAPI
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x0, msgid:0)
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domain.com:636
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 8 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 3, err: 0, subject: 
TLS certificate verification: depth: 2, err: 0, subject:
TLS certificate verification: depth: 1, err: 0, subject: 
TLS certificate verification: depth: 0, err: 0, subject: 
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
DBG: sasl_interact (ld:0x7fa9ec11c260, flags:2, defs:0x7fa9eacfb3e0, in:0x7fa9ef82da40)
ldap_int_sasl_open: host=server.domain.com
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x7fa9ec11c260 msgid 1
wait4msg ld 0x7fa9ec11c260 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 1 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
  last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
   Empty
  ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 1 all 1
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x7fa9ef820740, msgid:1)
read1msg: ld 0x7fa9ec11c260 msgid 1 message type bind
read1msg: ld 0x7fa9ec11c260 0 new referrals
read1msg:  mark request completed, ld 0x7fa9ec11c260 msgid 1
request done: ld 0x7fa9ec11c260 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fa9ec11c260 msgid 2
wait4msg ld 0x7fa9ec11c260 msgid 2 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 2 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
   Empty
  ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 2 all 1
read1msg: ld 0x7fa9ec11c260 msgid 2 message type bind
read1msg: ld 0x7fa9ec11c260 0 new referrals
read1msg:  mark request completed, ld 0x7fa9ec11c260 msgid 2
request done: ld 0x7fa9ec11c260 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x7fa9ec7fa0f0, msgid:2)
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fa9ec11c260 msgid 3
wait4msg ld 0x7fa9ec11c260 msgid 3 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 3 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
   Empty
  ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 3 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 3 all 1
read1msg: ld 0x7fa9ec11c260 msgid 3 message type bind
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x7fa9ec05eb80, msgid:3)
read1msg: ld 0x7fa9ec11c260 0 new referrals
DBG: ldapconnectiter_dealloc (self:0x10474bb20)
read1msg:  mark request completed, ld 0x7fa9ec11c260 msgid 3
DBG: dealloc_conn_info (info:0x7fa9eacfb3e0)
request done: ld 0x7fa9ec11c260 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_pvt_sasl_generic_install
ldap_msgfree
DBG: ldapconnection_dealloc (self:0x104563be0)
ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
DBG: ldapconnection_search (self:0x104563d00, args:0x1044f8c20, kwds:0x0)
DBG: LDAPConnection_IsClosed (self:0x104563d00)
DBG: ldapsearchiter_new [self:0x103e92df0]
DBG: LDAPSearchIter_New (conn:0x104563d00)[self:0x103e92df0]
DBG: LDAPConnection_Searching (self:0x104563d00, params_in:0x7ffeed1f3ab8, iterator:0x103e92df0)
ldap_search_ext
put_filter: "(&(objectClass=group)(SamAccountName=Group_NAME))"
put_filter: AND
put_filter_list "(objectClass=group)(SamAccountName=Group_NAME)"
put_filter: "(objectClass=group)"
put_filter: simple
put_simple_filter: "objectClass=group"
put_filter: "(SamAccountName=Group_NAME)"
put_filter: simple
put_simple_filter: "SamAccountName=Group_NAME"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
DBG: ldapconnection_result (self:0x104563d00, args:0x104566f80, kwds:0x0)[msgid:4]
ldap_send_server_request
DBG: LDAPConnection_Result (self:0x104563d00, msgid:4, millisec:-1)
ldap_result ld 0x7fa9ec11c260 msgid 4
wait4msg ld 0x7fa9ec11c260 msgid 4 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 4 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
   Empty
  ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 4 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 4 all 1
ber_get_next failed, errno=5.
ldap_err2string
DBG: ldapconnection_close (self:0x104563d00)
ldap_abandon_ext 4
do_abandon origid 4, msgid 4
ldap_msgdelete ld=0x7fa9ec11c260 msgid=4
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 0 1
ldap_free_connection: actually freed
ldap_err2string
DBG: ldapconnection_dealloc (self:0x10452b520)
Traceback (most recent call last):
  File "<input>", line 23, in <module>
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 329, in paged_search
    return super().paged_search(
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 169, in paged_search
    return self.__base_search(
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 111, in __base_search
    return self._evaluate(msg_id, timeout)
  File "//Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 246, in _evaluate
    return self.get_result(msg_id, timeout)
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "<input>", line 33, in <module>
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 37, in __exit__
    self.close()
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])

noirello commented 2 years ago

Could you share the example code when you trying to use the pre-aquired ticket?

And the output of bonsai.has_krb5_support() also would be great.

reach4bawer commented 2 years ago

import bonsai
import configparser

bonsai.set_connect_async(False)

CACERT_FILE = "./Cert/cacerts.pem"

username = 'my_user'
password = 'SecretPassword#'

config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'domain.com'

client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_auto_page_acquire(True)

client.set_credentials("GSSAPI", user=username, password=password, realm = server_name)

base = "DC=DOMAIN_1,DC=com"

bonsai.set_connect_async(False)

conn = client.connect()
query = "(&(objectClass=group)(SamAccountName=Group_NAME))"

list_of_attributes = ['*']
final_result = []

with client.connect() as conn:
    result = conn.paged_search(base=base, scope=2, filter_exp=query, attrlist=['*'], 
                               page_size=1000, attrsonly=False)
    for r in result:
        final_result.append(r)
    print(len(final_result))
    msgid = result.acquire_next_page()
    while msgid is not None:
        result = conn._evaluate(msgid)
        for r in result:
            final_result.append(r)
        msgid = result.acquire_next_page()

print(len(final_result))

Output for the bonsai.has_krb5_support()

False

noirello commented 2 years ago

The module hasn't been built with Kerberos support, so it's not possible to acquire a ticket from inside the script. But using kinit should work.

Could you try to run a more simple script? Something like this:

import bonsai
import configparser

bonsai.set_debug(True, -1)
bonsai.set_connect_async(False)

CACERT_FILE = "./Cert/cacerts.pem"

config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'domain.com'

client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_credentials("GSSAPI")

with client.connect() as conn:
    print(conn.whoami())

Run kinit for getting a ticket, then this script.

reach4bawer commented 2 years ago

@noirello I got the ticket and ran the script. Here are the logs -

DBG: ldapconnection_new [self:0x102430400]
DBG: ldapconnection_init (self:0x102430400)
DBG: ldapconnection_open (self:0x102430400)
DBG: connecting (self:0x102430400)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:0x102410900)
DBG: ldapconnectiter_new [self:0x102427a30]
DBG: create_init_thread_data (client:0x10240fd60, sock:-1)
DBG: create_init_thread (ld:0x7fcec385e6c0, info:0x7fcec383b740, thread:0)
DBG: ldapconnection_result (self:0x102430400, args:0x101cfb2c0, kwds:0x0)[msgid:-1]
DBG: DBG: LDAPConnection_Result (self:0x102430400, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145480474624, timeout:-1, misc:0x7fcec385e6c0)
ldap_init_thread_func (params:0x7fcec385e6c0)
DBG: _pthread_mutex_timedlock
ldap_create
ldap_url_parse_ext(ldaps://domain.com:636)
DBG: set connecting async: 0
DBG: ldap_init_thread_func [retval:0]
DBG: set_certificates (self:0x102427a30)
DBG: binding [state:3]
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x0, msgid:0)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domain.com:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 10.X.X.X:636
ldap_pvt_connect: fd: 7 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 3, err: 0, subject: 
TLS certificate verification: depth: 2, err: 0, subject: 
TLS certificate verification: depth: 1, err: 0, subject: 
TLS certificate verification: depth: 0, err: 0, subject: 
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
ldap_int_sasl_open: host=server.domain.com
DBG: sasl_interact (ld:0x7fcec3c202b0, flags:2, defs:0x7fcec383b740, in:0x7fcec1fedeb0)
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fcec3c202b0 msgid 1
wait4msg ld 0x7fcec3c202b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 1 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
   Empty
  ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 1 all 1
read1msg: ld 0x7fcec3c202b0 msgid 1 message type bind
read1msg: ld 0x7fcec3c202b0 0 new referrals
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x7fcec1fed910, msgid:1)
read1msg:  mark request completed, ld 0x7fcec3c202b0 msgid 1
request done: ld 0x7fcec3c202b0 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:4]
ldap_msgfree
DBG: binding [state:4]
ldap_result ld 0x7fcec3c202b0 msgid 2
wait4msg ld 0x7fcec3c202b0 msgid 2 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 2 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
   Empty
  ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 2 all 1
read1msg: ld 0x7fcec3c202b0 msgid 2 message type bind
read1msg: ld 0x7fcec3c202b0 0 new referrals
read1msg:  mark request completed, ld 0x7fcec3c202b0 msgid 2
request done: ld 0x7fcec3c202b0 msgid 2
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x7fcec1c6cfd0, msgid:2)
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fcec3c202b0 msgid 3
wait4msg ld 0x7fcec3c202b0 msgid 3 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 3 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
   Empty
  ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 3 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 3 all 1
read1msg: ld 0x7fcec3c202b0 msgid 3 message type bind
read1msg: ld 0x7fcec3c202b0 0 new referrals
read1msg:  mark request completed, ld 0x7fcec3c202b0 msgid 3
request done: ld 0x7fcec3c202b0 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x7fcec1c6cfd0, msgid:3)
DBG: ldapconnectiter_dealloc (self:0x102427a30)
ldap_int_sasl_bind: GSSAPI
DBG: dealloc_conn_info (info:0x7fcec383b740)
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_pvt_sasl_generic_install
ldap_msgfree
DBG: ldapconnection_whoami (self:0x102430400)
DBG: LDAPConnection_IsClosed (self:0x102430400)
ldap_extended_operation
ldap_send_initial_request
ldap_send_server_request
DBG: ldapconnection_result (self:0x102430400, args:0x101cfb2c0, kwds:0x0)[msgid:4]
DBG: LDAPConnection_Result (self:0x102430400, msgid:4, millisec:-1)
ldap_result ld 0x7fcec3c202b0 msgid 4
wait4msg ld 0x7fcec3c202b0 msgid 4 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 4 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
   Empty
  ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 4 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 4 all 1
ber_get_next failed, errno=5.
ldap_err2string
DBG: ldapconnection_close (self:0x102430400)
ldap_abandon_ext 4
do_abandon origid 4, msgid 4
ldap_msgdelete ld=0x7fcec3c202b0 msgid=4
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 0 1
ldap_free_connection: actually freed
ldap_err2string
Traceback (most recent call last):
  File "<input>", line 6, in <module>
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 405, in whoami
    return super().whoami(timeout)
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 221, in whoami
    return self._evaluate(super().whoami(), timeout)
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 246, in _evaluate
    return self.get_result(msg_id, timeout)
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "<input>", line 6, in <module>
  File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 37, in __exit__
    self.close()
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])

I can rebuild the module with Kerberos on my mac using the guide https://bonsai.readthedocs.io/en/latest/install.html, what is the path that I need to include in the setup.cfg for kerberos? (for either package libkrb5-dev or heimdal-dev)

noirello commented 2 years ago

I've just realized that you cannot compile the module with Kerberos support on Mac. :( You can install heimdal with brew, but they've just recently added the required functionality to acquire a TGT and it's not released yet.

reach4bawer commented 2 years ago

No problem @noirello . I will install heimdal I think their version 7.7.0 for mac and keep an eye out for further updates.

For windows and for Linux this should work right ?

On trying this on a windows 10 machine the same code generates -

DBG: ldapconnection_new [self:000001BC571DB820]
DBG: ldapconnection_init (self:000001BC571DB820)
DBG: ldapconnection_open (self:000001BC571DB820)
DBG: connecting (self:000001BC571DB820)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:000001BC571FB740)
DBG: ldapconnectiter_new [self:000001BC571EECB0]
DBG: create_init_thread_data (client:000001BC56FC8FD0, sock:-1)
DBG: create_init_thread (ld:000001BC5695FBE0, info:000001BC569940C0, thread:0)
DBG: ldapconnection_result (self:000001BC571DB820, args:000001BC56F18940, kwds:0000000000000000)[msgid:-1]
DBG: LDAPConnection_Result (self:000001BC571DB820, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:000001BC571EECB0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:0000000000001398, timeout:-1, misc:000001BC5695FBE0)
DBG: ldap_init_thread_func (params:000001BC5695FBE0)
DBG: ldap_init_thread_func [retval:0]
DBG: binding [state:3]
DBG: _ldap_bind (ld:000001BC5691FC18, info:000001BC569940C0, ppolicy:0, result:0000000000000000, msgid:0)
DBG: LDAPConnectIter_Next (self:000001BC571EECB0, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
DBG: ldap_thread_bind (params:000001BC569940C0)
DBG: ldapconnectiter_dealloc (self:000001BC571EECB0)
DBG: dealloc_conn_info (info:000001BC569940C0)
DBG: ldapconnection_dealloc (self:000001BC571DB220)
Traceback (most recent call last):
  File "<input>", line 16, in <module>
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapclient.py", line 588, in connect
    return LDAPConnection(self).open(timeout)
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 297, in open
    return super().open(timeout)
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 53, in open
    return self._evaluate(super().open(), timeout)
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 246, in _evaluate
    return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Invalid Credentials. (0x0031 [49])

The packages that I have are -

bonsai==1.2.1
cffi==1.14.6
cryptography==3.4.7
decorator==5.0.9
dnspython==2.1.0
gssapi==1.6.14
pyasn1==0.4.8
pycparser==2.20

noirello commented 2 years ago

I've just realized that you cannot compile the module with Kerberos support on Mac. :(

Never mind. You can install brew install krb5 for MIT Kerberos, then update the include and lib dirs in setup.cfg:

[build_ext]
include_dirs=/usr/local/opt/openldap/include:/usr/local/opt/krb5/include
library_dirs=/usr/local/opt/openldap/lib:/usr/local/opt/krb5/lib

But something still goes wrong on Mac, it fails to use the Kerberos ticket.

For windows and for Linux this should work right ?

Yes, it should. But you always have to set the user, password and realm params on Windows.

reach4bawer commented 2 years ago

I had the krb5 library installed and I will recompile bonsai and let you know the results.

As for windows I did pass the credentials (not the ones that I was logged on with on the system) in the set_credentials following is the script and the debug logs -

 import bonsai
import configparser

bonsai.set_debug(True, -1)
bonsai.set_connect_async(False)

CACERT_FILE = "./Cert/cacerts.pem"

config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'ldaps://domain.com'
username = 'my_user'
password = 'SecretPassword#'
realm = config['Domain']['Domain']  # "domain.com"

client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_credentials("GSSAPI", username, password, realm)

with client.connect() as conn:
    print(conn.whoami())

DBG: ldapconnection_new [self:000001BC571DB220]
DBG: ldapconnection_init (self:000001BC571DB220)
DBG: ldapconnection_open (self:000001BC571DB220)
DBG: connecting (self:000001BC571DB220)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:000001BC56FD7E80)
DBG: ldapconnectiter_new [self:000001BC57077B20]
DBG: create_init_thread_data (client:000001BC56FDD130, sock:-1)
DBG: create_init_thread (ld:000001BC5695FC40, info:000001BC56994570, thread:0)
DBG: ldapconnection_result (self:000001BC571DB220, args:000001BC56FCEB40, kwds:0000000000000000)[msgid:-1]
DBG: LDAPConnection_Result (self:000001BC571DB220, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:000001BC57077B20, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:0000000000000DD8, timeout:-1, misc:000001BC5695FC40)
DBG: ldap_init_thread_func (params:000001BC5695FC40)
DBG: ldap_init_thread_func [retval:0]
DBG: binding [state:3]
DBG: _ldap_bind (ld:000001BC56926508, info:000001BC56994570, ppolicy:0, result:0000000000000000, msgid:0)
DBG: LDAPConnectIter_Next (self:000001BC57077B20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
DBG: ldap_thread_bind (params:000001BC56994570)
DBG: ldapconnectiter_dealloc (self:000001BC57077B20)
DBG: dealloc_conn_info (info:000001BC56994570)
Traceback (most recent call last):
  File "<input>", line 19, in <module>
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapclient.py", line 588, in connect
    return LDAPConnection(self).open(timeout)
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 297, in open
    return super().open(timeout)
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 53, in open
    return self._evaluate(super().open(), timeout)
  File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 246, in _evaluate
    return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Invalid Credentials. SSPI authentication procedure is failed with error code: 0x8009030c (0x0031 [49])

reach4bawer commented 2 years ago

Never mind. You can install brew install krb5 for MIT Kerberos, then update the include and lib dirs in setup.cfg:
[build_ext]
include_dirs=/usr/local/opt/openldap/include:/usr/local/opt/krb5/include
library_dirs=/usr/local/opt/openldap/lib:/usr/local/opt/krb5/lib
But something still goes wrong on Mac, it fails to use the Kerberos ticket.

Yes so after recompiling I was able to get it to work on mac maybe I need to recompile it on windows as well. Interestingly the whoami() command shows this being run as the user I am logged in with and not the credentials that I passed.

reach4bawer commented 2 years ago

@noirello Recompiling on windows didn't do anything I still get the same error.

noirello commented 2 years ago

The security implementation is completely different on Windows. No third party Kerberos library is involved, it uses libraries shipped with Windows by default. Have you tried look into the security logs on the server side? It looks like that this article describes a similar issue.

reach4bawer commented 2 years ago

Okay I will have to contact someome to see the logs on the server. Is there any work around for the my token being used instead of generating a new token with the passed credentials?

reach4bawer commented 2 years ago

I tried this on a linux machine(in AWS, AWS Linux), since the team that can help me look at the logs for windows is not available. I followed the guide. I installed the dependencies and build with the kerberos libraries.

I run into the following -

import bonsai
import configparser

bonsai.set_debug(True, -1)
bonsai.set_connect_async(False)

CACERT_FILE = "./Cert/cacerts.pem"

config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'ldaps://domain.com'
username = 'my_user'
password = 'SecretPassword#'
realm = config['Domain']['Domain']  # "domain.com"

client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_credentials("GSSAPI", username, password, realm)

with client.connect() as conn:
    print(conn.whoami())

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_init: HOME env is /home/ec2-user
ldap_init: trying /home/ec2-user/ldaprc
ldap_init: trying /home/ec2-user/.ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Is Bonsai build with kerberos -True
DBG: ldapconnection_new [self:0x7f4189ed2bb0]
DBG: ldapconnection_init (self:0x7f4189ed2bb0)
DBG: ldapconnection_open (self:0x7f4189ed2bb0)
DBG: connecting (self:0x7f4189ed2bb0)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:0x7f4189ec1730)
DBG: ldapconnectiter_new [self:0x7f4189ec3ee0]
DBG: create_init_thread_data (client:0x7f4189ebf710, sock:-1)
DBG: create_init_thread (ld:0x1d810d0, info:0x1bf6d40, thread:0)
DBG: DBG: ldapconnection_result (self:0x7f4189ed2bb0, args:0x7f4189ec80a0, kwds:(nil))[msgid:-1]
DBG: LDAPConnection_Result (self:0x7f4189ed2bb0, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x7f4189ec3ee0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:139919317710592, timeout:-1, misc:0x1d810d0)
DBG: _pthread_mutex_timedlock
ldap_init_thread_func (params:0x1d810d0)
ldap_create
ldap_url_parse_ext(ldaps://domain.com:636)
DBG: set connecting async: 0
DBG: create_krb5_cred (ctx:0x1c0a1e0, realm:domain.com, user:distinguished_name, password:****, ktname: , ccache:0x1bf6d78, gsscred:0x1bf6d80)
DBG: LDAPConnectIter_Next (self:0x7f4189ec3ee0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:139919317710592, timeout:-1, misc:0x1d810d0)
DBG: _pthread_mutex_timedlock
DBG: LDAPConnectIter_Next (self:0x7f4189ec3ee0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:139919317710592, timeout:-1, misc:0x1d810d0)
DBG: _pthread_mutex_timedlock
DBG: ldap_init_thread_func [retval:-1765328378]
DBG: ldapconnectiter_dealloc (self:0x7f4189ec3ee0)
DBG: dealloc_conn_info (info:0x1bf6d40)
DBG: remove_krb5_cred (ctx:0x1c0a1e0, cchache:0x7f4174009b20, gsscred:0x1bf6d80)
Traceback (most recent call last):
  File "/home/ec2-user/.pycharm_helpers/pydev/pydevd.py", line 1483, in _exec
    pydev_imports.execfile(file, globals, locals)  # execute the script
  File "/home/ec2-user/.pycharm_helpers/pydev/_pydev_imps/_pydev_execfile.py", line 18, in execfile
    exec(compile(contents+"\n", file, 'exec'), glob, loc)
  File "/home/ec2-user/AD_Audit_Automation/whoami.py", line 22, in <module>
    with client.connect() as conn:
  File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapclient.py", line 588, in connect
    return LDAPConnection(self).open(timeout)
  File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapconnection.py", line 297, in open
    return super().open(timeout)
  File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapconnection.py", line 53, in open
    return self._evaluate(super().open(), timeout)
  File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapconnection.py", line 246, in _evaluate
    return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Client 'distinguished_name@domain.com' not found in Kerberos database. (KRB5_ERROR 0x96c73a06) (0x0031 [49])

The same works on my macbook after generating the ticket with kinit.

I noted the following -

When I change the name of the server config['DOMAIN_1']['URL'] from ldap://domain.com to ldap://specific_server.com and remove the username, password and realm the code works. I have to do both as I just remove the username, password and realm I get - bonsai.errors.LDAPError: Local error. SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (0xFFFE [-2])
On my mac the distinguished_name of my user does not get '@domain.com' but on linux in the error message I see it added ( I tested with the debugger and the username inside the conn variable does not have the "@domain.com".

noirello commented 2 years ago

I looked into it a little:

On Mac: only kinit works currently, nothing else. Even when the Kerberos headers are available, the module can acquire a TGT, but during the LDAP authentication it uses the wrong (heimdal) ccache. I have no idea how to fix that. :(
On Linux: both kinit and module based TGT aquiring should work with a proper kdc.conf. Have you tried using a fully upper-cased domain name? Kerberos is sensitive to that. Might be the reason why the client wasn't found.

reach4bawer commented 2 years ago

On mac - No problem. I logged into using the credentials I needed during the deevelopment. On Linux - So I ran into the caps problem when I was trying to generate the ticket using Kinit from that point onwards I converted everything to the upper case. My krb5.conf looks okay -

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
rdns = false

Not sure where I can find the kdc.conf I looked into the directories mentioned in - https://manpages.ubuntu.com/manpages/bionic/man5/kdc.conf.5.html couldn't find that in /etc/krb5kdc or in KRB5_KDC_PROFILE

noirello commented 2 years ago

Oh, sorry I meant krb5.conf, not kdc.conf (that's the server's configuration). So using an upper-case realm for the LDAPClient.set_credentials's realm param did not help to avoid the authentication error on Linux?

reach4bawer commented 2 years ago

It did not work. I get - bonsai.errors.LDAPError: Local error. SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (0xFFFE [-2]) error. Is there a reason why it does not resolve to the nearest domain server? Also If there are multiple referrals the script would break.

Edit- I meant referral if I query an AD Group that has a group from a different domain with member in multiple other domains.

noirello / bonsai

Connecting to trusting domain in different forest #53