Closed reach4bawer closed 1 year ago
Is there a way bind to AD by generating token through Kerberos?
You can try using GSSAPI
or GSS-SPNEGO
SASL mechanisms instead of SIMPLE
.
But unfortunately, I have no experience with AD forests.
@noirello Yes you are right. I tried GSSAPI
using client.set_credentials("GSSAPI", user='user_sam_account_name', password=password, realm = 'domain.com')
but I get error - bonsai.errors.LDAPError: Local error. SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (no credential for XXXXXXXX) (0xFFFE [-2])
I did kdestroy
before running the command and checked if there were any tickets before and after running the python script. No tickets were generated.
Are you able to authenticate using kinit
in command line? There's an example in the docs. If the ticket is valid for LDAP auth, bonsai should be able to use it.
@noirello yes I am able to do that from command line but would that be not possible through the script and use that for the connection?
Also when I manually generate the ticket using the kinit
command I get the following -
DBG: ldapconnection_new [self:0x104563d00]
DBG: ldapconnection_init (self:0x104563d00)
DBG: ldapconnection_open (self:0x104563d00)
DBG: connecting (self:0x104563d00)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:0x104748dc0)
DBG: ldapconnectiter_new [self:0x10474bb20]
DBG: create_init_thread_data (client:0x10453bc70, sock:-1)
DBG: create_init_thread (ld:0x7fa9eacdeea0, info:0x7fa9eacfb3e0, thread:0)
DBG: ldapconnection_result (self:0x104563d00, args:0x104566f80, kwds:0x0)[msgid:-1]
DBG: LDAPConnection_Result (self:0x104563d00, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145473105920, timeout:-1, misc:0x7fa9eacdeea0)
DBG: _pthread_mutex_timedlock
DBG: ldap_init_thread_func (params:0x7fa9eacdeea0)
DBG: set connecting async: 0
DBG: ldap_init_thread_func [retval:0]
ldap_create
ldap_url_parse_ext(ldaps://domain.com:636)
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145473105920, timeout:-1, misc:0x7fa9eacdeea0)
DBG: _pthread_mutex_timedlock
DBG: set_certificates (self:0x10474bb20)
DBG: binding [state:3]
ldap_sasl_interactive_bind: user selected: GSSAPI
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x0, msgid:0)
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domain.com:636
ldap_new_socket: 8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 8 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 3, err: 0, subject:
TLS certificate verification: depth: 2, err: 0, subject:
TLS certificate verification: depth: 1, err: 0, subject:
TLS certificate verification: depth: 0, err: 0, subject:
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
DBG: sasl_interact (ld:0x7fa9ec11c260, flags:2, defs:0x7fa9eacfb3e0, in:0x7fa9ef82da40)
ldap_int_sasl_open: host=server.domain.com
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_msgfree
ldap_result ld 0x7fa9ec11c260 msgid 1
wait4msg ld 0x7fa9ec11c260 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 1 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
Empty
ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 1 all 1
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x7fa9ef820740, msgid:1)
read1msg: ld 0x7fa9ec11c260 msgid 1 message type bind
read1msg: ld 0x7fa9ec11c260 0 new referrals
read1msg: mark request completed, ld 0x7fa9ec11c260 msgid 1
request done: ld 0x7fa9ec11c260 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fa9ec11c260 msgid 2
wait4msg ld 0x7fa9ec11c260 msgid 2 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 2 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
Empty
ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 2 all 1
read1msg: ld 0x7fa9ec11c260 msgid 2 message type bind
read1msg: ld 0x7fa9ec11c260 0 new referrals
read1msg: mark request completed, ld 0x7fa9ec11c260 msgid 2
request done: ld 0x7fa9ec11c260 msgid 2
res_errno: 14, res_error: <>, res_matched: <>
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x7fa9ec7fa0f0, msgid:2)
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x10474bb20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fa9ec11c260 msgid 3
wait4msg ld 0x7fa9ec11c260 msgid 3 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 3 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
Empty
ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 3 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 3 all 1
read1msg: ld 0x7fa9ec11c260 msgid 3 message type bind
DBG: _ldap_bind (ld:0x7fa9ec11c260, info:0x7fa9eacfb3e0, ppolicy:0, result:0x7fa9ec05eb80, msgid:3)
read1msg: ld 0x7fa9ec11c260 0 new referrals
DBG: ldapconnectiter_dealloc (self:0x10474bb20)
read1msg: mark request completed, ld 0x7fa9ec11c260 msgid 3
DBG: dealloc_conn_info (info:0x7fa9eacfb3e0)
request done: ld 0x7fa9ec11c260 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_pvt_sasl_generic_install
ldap_msgfree
DBG: ldapconnection_dealloc (self:0x104563be0)
ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
DBG: ldapconnection_search (self:0x104563d00, args:0x1044f8c20, kwds:0x0)
DBG: LDAPConnection_IsClosed (self:0x104563d00)
DBG: ldapsearchiter_new [self:0x103e92df0]
DBG: LDAPSearchIter_New (conn:0x104563d00)[self:0x103e92df0]
DBG: LDAPConnection_Searching (self:0x104563d00, params_in:0x7ffeed1f3ab8, iterator:0x103e92df0)
ldap_search_ext
put_filter: "(&(objectClass=group)(SamAccountName=Group_NAME))"
put_filter: AND
put_filter_list "(objectClass=group)(SamAccountName=Group_NAME)"
put_filter: "(objectClass=group)"
put_filter: simple
put_simple_filter: "objectClass=group"
put_filter: "(SamAccountName=Group_NAME)"
put_filter: simple
put_simple_filter: "SamAccountName=Group_NAME"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
DBG: ldapconnection_result (self:0x104563d00, args:0x104566f80, kwds:0x0)[msgid:4]
ldap_send_server_request
DBG: LDAPConnection_Result (self:0x104563d00, msgid:4, millisec:-1)
ldap_result ld 0x7fa9ec11c260 msgid 4
wait4msg ld 0x7fa9ec11c260 msgid 4 (infinite timeout)
wait4msg continue ld 0x7fa9ec11c260 msgid 4 all 1
** ld 0x7fa9ec11c260 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 09:46:12 2021
** ld 0x7fa9ec11c260 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fa9ec11c260 request count 1 (abandoned 0)
** ld 0x7fa9ec11c260 Response Queue:
Empty
ld 0x7fa9ec11c260 response count 0
ldap_chkResponseList ld 0x7fa9ec11c260 msgid 4 all 1
ldap_chkResponseList returns ld 0x7fa9ec11c260 NULL
ldap_int_select
read1msg: ld 0x7fa9ec11c260 msgid 4 all 1
ber_get_next failed, errno=5.
ldap_err2string
DBG: ldapconnection_close (self:0x104563d00)
ldap_abandon_ext 4
do_abandon origid 4, msgid 4
ldap_msgdelete ld=0x7fa9ec11c260 msgid=4
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 0 1
ldap_free_connection: actually freed
ldap_err2string
DBG: ldapconnection_dealloc (self:0x10452b520)
Traceback (most recent call last):
File "<input>", line 23, in <module>
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 329, in paged_search
return super().paged_search(
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 169, in paged_search
return self.__base_search(
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 111, in __base_search
return self._evaluate(msg_id, timeout)
File "//Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 246, in _evaluate
return self.get_result(msg_id, timeout)
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<input>", line 33, in <module>
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 37, in __exit__
self.close()
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])
Could you share the example code when you trying to use the pre-aquired ticket?
And the output of bonsai.has_krb5_support()
also would be great.
import bonsai
import configparser
bonsai.set_connect_async(False)
CACERT_FILE = "./Cert/cacerts.pem"
username = 'my_user'
password = 'SecretPassword#'
config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'domain.com'
client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_auto_page_acquire(True)
client.set_credentials("GSSAPI", user=username, password=password, realm = server_name)
base = "DC=DOMAIN_1,DC=com"
bonsai.set_connect_async(False)
conn = client.connect()
query = "(&(objectClass=group)(SamAccountName=Group_NAME))"
list_of_attributes = ['*']
final_result = []
with client.connect() as conn:
result = conn.paged_search(base=base, scope=2, filter_exp=query, attrlist=['*'],
page_size=1000, attrsonly=False)
for r in result:
final_result.append(r)
print(len(final_result))
msgid = result.acquire_next_page()
while msgid is not None:
result = conn._evaluate(msgid)
for r in result:
final_result.append(r)
msgid = result.acquire_next_page()
print(len(final_result))
Output for the bonsai.has_krb5_support()
False
The module hasn't been built with Kerberos support, so it's not possible to acquire a ticket from inside the script. But using kinit
should work.
Could you try to run a more simple script? Something like this:
import bonsai
import configparser
bonsai.set_debug(True, -1)
bonsai.set_connect_async(False)
CACERT_FILE = "./Cert/cacerts.pem"
config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'domain.com'
client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_credentials("GSSAPI")
with client.connect() as conn:
print(conn.whoami())
Run kinit
for getting a ticket, then this script.
@noirello I got the ticket and ran the script. Here are the logs -
DBG: ldapconnection_new [self:0x102430400]
DBG: ldapconnection_init (self:0x102430400)
DBG: ldapconnection_open (self:0x102430400)
DBG: connecting (self:0x102430400)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:0x102410900)
DBG: ldapconnectiter_new [self:0x102427a30]
DBG: create_init_thread_data (client:0x10240fd60, sock:-1)
DBG: create_init_thread (ld:0x7fcec385e6c0, info:0x7fcec383b740, thread:0)
DBG: ldapconnection_result (self:0x102430400, args:0x101cfb2c0, kwds:0x0)[msgid:-1]
DBG: DBG: LDAPConnection_Result (self:0x102430400, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:123145480474624, timeout:-1, misc:0x7fcec385e6c0)
ldap_init_thread_func (params:0x7fcec385e6c0)
DBG: _pthread_mutex_timedlock
ldap_create
ldap_url_parse_ext(ldaps://domain.com:636)
DBG: set connecting async: 0
DBG: ldap_init_thread_func [retval:0]
DBG: set_certificates (self:0x102427a30)
DBG: binding [state:3]
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x0, msgid:0)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP domain.com:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 10.X.X.X:636
ldap_pvt_connect: fd: 7 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 3, err: 0, subject:
TLS certificate verification: depth: 2, err: 0, subject:
TLS certificate verification: depth: 1, err: 0, subject:
TLS certificate verification: depth: 0, err: 0, subject:
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:SSLv3/TLS read server key exchange
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS trace: SSL_connect:SSLv3/TLS read server done
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write client key exchange
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS write finished
TLS trace: SSL_connect:SSLv3/TLS read change cipher spec
TLS trace: SSL_connect:SSLv3/TLS read finished
ldap_int_sasl_open: host=server.domain.com
DBG: sasl_interact (ld:0x7fcec3c202b0, flags:2, defs:0x7fcec383b740, in:0x7fcec1fedeb0)
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fcec3c202b0 msgid 1
wait4msg ld 0x7fcec3c202b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 1 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
Empty
ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 1 all 1
read1msg: ld 0x7fcec3c202b0 msgid 1 message type bind
read1msg: ld 0x7fcec3c202b0 0 new referrals
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x7fcec1fed910, msgid:1)
read1msg: mark request completed, ld 0x7fcec3c202b0 msgid 1
request done: ld 0x7fcec3c202b0 msgid 1
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 1
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:4]
ldap_msgfree
DBG: binding [state:4]
ldap_result ld 0x7fcec3c202b0 msgid 2
wait4msg ld 0x7fcec3c202b0 msgid 2 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 2 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
Empty
ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 2 all 1
read1msg: ld 0x7fcec3c202b0 msgid 2 message type bind
read1msg: ld 0x7fcec3c202b0 0 new referrals
read1msg: mark request completed, ld 0x7fcec3c202b0 msgid 2
request done: ld 0x7fcec3c202b0 msgid 2
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x7fcec1c6cfd0, msgid:2)
res_errno: 14, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_int_sasl_bind: GSSAPI
ldap_parse_sasl_bind_result
ldap_parse_result
sasl_client_step: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
DBG: LDAPConnectIter_Next (self:0x102427a30, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
ldap_msgfree
ldap_result ld 0x7fcec3c202b0 msgid 3
wait4msg ld 0x7fcec3c202b0 msgid 3 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 3 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
Empty
ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 3 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 3 all 1
read1msg: ld 0x7fcec3c202b0 msgid 3 message type bind
read1msg: ld 0x7fcec3c202b0 0 new referrals
read1msg: mark request completed, ld 0x7fcec3c202b0 msgid 3
request done: ld 0x7fcec3c202b0 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
DBG: _ldap_bind (ld:0x7fcec3c202b0, info:0x7fcec383b740, ppolicy:0, result:0x7fcec1c6cfd0, msgid:3)
DBG: ldapconnectiter_dealloc (self:0x102427a30)
ldap_int_sasl_bind: GSSAPI
DBG: dealloc_conn_info (info:0x7fcec383b740)
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_pvt_sasl_generic_install
ldap_msgfree
DBG: ldapconnection_whoami (self:0x102430400)
DBG: LDAPConnection_IsClosed (self:0x102430400)
ldap_extended_operation
ldap_send_initial_request
ldap_send_server_request
DBG: ldapconnection_result (self:0x102430400, args:0x101cfb2c0, kwds:0x0)[msgid:4]
DBG: LDAPConnection_Result (self:0x102430400, msgid:4, millisec:-1)
ldap_result ld 0x7fcec3c202b0 msgid 4
wait4msg ld 0x7fcec3c202b0 msgid 4 (infinite timeout)
wait4msg continue ld 0x7fcec3c202b0 msgid 4 all 1
** ld 0x7fcec3c202b0 Connections:
* host: domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Aug 16 12:12:15 2021
** ld 0x7fcec3c202b0 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fcec3c202b0 request count 1 (abandoned 0)
** ld 0x7fcec3c202b0 Response Queue:
Empty
ld 0x7fcec3c202b0 response count 0
ldap_chkResponseList ld 0x7fcec3c202b0 msgid 4 all 1
ldap_chkResponseList returns ld 0x7fcec3c202b0 NULL
ldap_int_select
read1msg: ld 0x7fcec3c202b0 msgid 4 all 1
ber_get_next failed, errno=5.
ldap_err2string
DBG: ldapconnection_close (self:0x102430400)
ldap_abandon_ext 4
do_abandon origid 4, msgid 4
ldap_msgdelete ld=0x7fcec3c202b0 msgid=4
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 0 1
ldap_free_connection: actually freed
ldap_err2string
Traceback (most recent call last):
File "<input>", line 6, in <module>
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 405, in whoami
return super().whoami(timeout)
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 221, in whoami
return self._evaluate(super().whoami(), timeout)
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 246, in _evaluate
return self.get_result(msg_id, timeout)
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<input>", line 6, in <module>
File "/Active_Directory/venv/lib/python3.9/site-packages/bonsai/ldapconnection.py", line 37, in __exit__
self.close()
bonsai.errors.ConnectionError: Can't contact LDAP server. (0xFFFF [-1])
I can rebuild the module with Kerberos on my mac using the guide https://bonsai.readthedocs.io/en/latest/install.html, what is the path that I need to include in the setup.cfg for kerberos? (for either package libkrb5-dev or heimdal-dev)
I've just realized that you cannot compile the module with Kerberos support on Mac. :( You can install heimdal with brew, but they've just recently added the required functionality to acquire a TGT and it's not released yet.
No problem @noirello . I will install heimdal I think their version 7.7.0 for mac and keep an eye out for further updates.
For windows and for Linux this should work right ?
On trying this on a windows 10 machine the same code generates -
DBG: ldapconnection_new [self:000001BC571DB820]
DBG: ldapconnection_init (self:000001BC571DB820)
DBG: ldapconnection_open (self:000001BC571DB820)
DBG: connecting (self:000001BC571DB820)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:000001BC571FB740)
DBG: ldapconnectiter_new [self:000001BC571EECB0]
DBG: create_init_thread_data (client:000001BC56FC8FD0, sock:-1)
DBG: create_init_thread (ld:000001BC5695FBE0, info:000001BC569940C0, thread:0)
DBG: ldapconnection_result (self:000001BC571DB820, args:000001BC56F18940, kwds:0000000000000000)[msgid:-1]
DBG: LDAPConnection_Result (self:000001BC571DB820, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:000001BC571EECB0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:0000000000001398, timeout:-1, misc:000001BC5695FBE0)
DBG: ldap_init_thread_func (params:000001BC5695FBE0)
DBG: ldap_init_thread_func [retval:0]
DBG: binding [state:3]
DBG: _ldap_bind (ld:000001BC5691FC18, info:000001BC569940C0, ppolicy:0, result:0000000000000000, msgid:0)
DBG: LDAPConnectIter_Next (self:000001BC571EECB0, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
DBG: ldap_thread_bind (params:000001BC569940C0)
DBG: ldapconnectiter_dealloc (self:000001BC571EECB0)
DBG: dealloc_conn_info (info:000001BC569940C0)
DBG: ldapconnection_dealloc (self:000001BC571DB220)
Traceback (most recent call last):
File "<input>", line 16, in <module>
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapclient.py", line 588, in connect
return LDAPConnection(self).open(timeout)
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 297, in open
return super().open(timeout)
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 53, in open
return self._evaluate(super().open(), timeout)
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 246, in _evaluate
return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Invalid Credentials. (0x0031 [49])
The packages that I have are -
bonsai==1.2.1
cffi==1.14.6
cryptography==3.4.7
decorator==5.0.9
dnspython==2.1.0
gssapi==1.6.14
pyasn1==0.4.8
pycparser==2.20
I've just realized that you cannot compile the module with Kerberos support on Mac. :(
Never mind. You can install brew install krb5
for MIT Kerberos, then update the include and lib dirs in setup.cfg
:
[build_ext]
include_dirs=/usr/local/opt/openldap/include:/usr/local/opt/krb5/include
library_dirs=/usr/local/opt/openldap/lib:/usr/local/opt/krb5/lib
But something still goes wrong on Mac, it fails to use the Kerberos ticket.
For windows and for Linux this should work right ?
Yes, it should. But you always have to set the user, password and realm params on Windows.
I had the krb5 library installed and I will recompile bonsai and let you know the results.
As for windows I did pass the credentials (not the ones that I was logged on with on the system) in the set_credentials following is the script and the debug logs -
import bonsai
import configparser
bonsai.set_debug(True, -1)
bonsai.set_connect_async(False)
CACERT_FILE = "./Cert/cacerts.pem"
config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'ldaps://domain.com'
username = 'my_user'
password = 'SecretPassword#'
realm = config['Domain']['Domain'] # "domain.com"
client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_credentials("GSSAPI", username, password, realm)
with client.connect() as conn:
print(conn.whoami())
DBG: ldapconnection_new [self:000001BC571DB220]
DBG: ldapconnection_init (self:000001BC571DB220)
DBG: ldapconnection_open (self:000001BC571DB220)
DBG: connecting (self:000001BC571DB220)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:000001BC56FD7E80)
DBG: ldapconnectiter_new [self:000001BC57077B20]
DBG: create_init_thread_data (client:000001BC56FDD130, sock:-1)
DBG: create_init_thread (ld:000001BC5695FC40, info:000001BC56994570, thread:0)
DBG: ldapconnection_result (self:000001BC571DB220, args:000001BC56FCEB40, kwds:0000000000000000)[msgid:-1]
DBG: LDAPConnection_Result (self:000001BC571DB220, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:000001BC57077B20, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:0000000000000DD8, timeout:-1, misc:000001BC5695FC40)
DBG: ldap_init_thread_func (params:000001BC5695FC40)
DBG: ldap_init_thread_func [retval:0]
DBG: binding [state:3]
DBG: _ldap_bind (ld:000001BC56926508, info:000001BC56994570, ppolicy:0, result:0000000000000000, msgid:0)
DBG: LDAPConnectIter_Next (self:000001BC57077B20, timeout:-1) [tls:0, state:4]
DBG: binding [state:4]
DBG: ldap_thread_bind (params:000001BC56994570)
DBG: ldapconnectiter_dealloc (self:000001BC57077B20)
DBG: dealloc_conn_info (info:000001BC56994570)
Traceback (most recent call last):
File "<input>", line 19, in <module>
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapclient.py", line 588, in connect
return LDAPConnection(self).open(timeout)
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 297, in open
return super().open(timeout)
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 53, in open
return self._evaluate(super().open(), timeout)
File "C:\Users\jack\PycharmProjects\AD\venv\lib\site-packages\bonsai\ldapconnection.py", line 246, in _evaluate
return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Invalid Credentials. SSPI authentication procedure is failed with error code: 0x8009030c (0x0031 [49])
Never mind. You can install
brew install krb5
for MIT Kerberos, then update the include and lib dirs insetup.cfg
:[build_ext] include_dirs=/usr/local/opt/openldap/include:/usr/local/opt/krb5/include library_dirs=/usr/local/opt/openldap/lib:/usr/local/opt/krb5/lib
But something still goes wrong on Mac, it fails to use the Kerberos ticket.
Yes so after recompiling I was able to get it to work on mac maybe I need to recompile it on windows as well. Interestingly the whoami() command shows this being run as the user I am logged in with and not the credentials that I passed.
@noirello Recompiling on windows didn't do anything I still get the same error.
The security implementation is completely different on Windows. No third party Kerberos library is involved, it uses libraries shipped with Windows by default. Have you tried look into the security logs on the server side? It looks like that this article describes a similar issue.
Okay I will have to contact someome to see the logs on the server. Is there any work around for the my token being used instead of generating a new token with the passed credentials?
I tried this on a linux machine(in AWS, AWS Linux), since the team that can help me look at the logs for windows is not available. I followed the guide. I installed the dependencies and build with the kerberos libraries.
I run into the following -
import bonsai
import configparser
bonsai.set_debug(True, -1)
bonsai.set_connect_async(False)
CACERT_FILE = "./Cert/cacerts.pem"
config = configparser.ConfigParser()
config.read('.//AD_Configs//Config.ini')
server_name = config['DOMAIN_1']['URL'] # 'ldaps://domain.com'
username = 'my_user'
password = 'SecretPassword#'
realm = config['Domain']['Domain'] # "domain.com"
client = bonsai.LDAPClient(server_name)
client.set_ca_cert(CACERT_FILE)
client.set_credentials("GSSAPI", username, password, realm)
with client.connect() as conn:
print(conn.whoami())
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_init: HOME env is /home/ec2-user
ldap_init: trying /home/ec2-user/ldaprc
ldap_init: trying /home/ec2-user/.ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Is Bonsai build with kerberos -True
DBG: ldapconnection_new [self:0x7f4189ed2bb0]
DBG: ldapconnection_init (self:0x7f4189ed2bb0)
DBG: ldapconnection_open (self:0x7f4189ed2bb0)
DBG: connecting (self:0x7f4189ed2bb0)
DBG: create_conn_info (mech:GSSAPI, sock:-1, creds:0x7f4189ec1730)
DBG: ldapconnectiter_new [self:0x7f4189ec3ee0]
DBG: create_init_thread_data (client:0x7f4189ebf710, sock:-1)
DBG: create_init_thread (ld:0x1d810d0, info:0x1bf6d40, thread:0)
DBG: DBG: ldapconnection_result (self:0x7f4189ed2bb0, args:0x7f4189ec80a0, kwds:(nil))[msgid:-1]
DBG: LDAPConnection_Result (self:0x7f4189ed2bb0, msgid:-1, millisec:-1)
DBG: LDAPConnectIter_Next (self:0x7f4189ec3ee0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:139919317710592, timeout:-1, misc:0x1d810d0)
DBG: _pthread_mutex_timedlock
ldap_init_thread_func (params:0x1d810d0)
ldap_create
ldap_url_parse_ext(ldaps://domain.com:636)
DBG: set connecting async: 0
DBG: create_krb5_cred (ctx:0x1c0a1e0, realm:domain.com, user:distinguished_name, password:****, ktname: , ccache:0x1bf6d78, gsscred:0x1bf6d80)
DBG: LDAPConnectIter_Next (self:0x7f4189ec3ee0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:139919317710592, timeout:-1, misc:0x1d810d0)
DBG: _pthread_mutex_timedlock
DBG: LDAPConnectIter_Next (self:0x7f4189ec3ee0, timeout:-1) [tls:0, state:0]
DBG: _ldap_finish_init_thread (async:0, thread:139919317710592, timeout:-1, misc:0x1d810d0)
DBG: _pthread_mutex_timedlock
DBG: ldap_init_thread_func [retval:-1765328378]
DBG: ldapconnectiter_dealloc (self:0x7f4189ec3ee0)
DBG: dealloc_conn_info (info:0x1bf6d40)
DBG: remove_krb5_cred (ctx:0x1c0a1e0, cchache:0x7f4174009b20, gsscred:0x1bf6d80)
Traceback (most recent call last):
File "/home/ec2-user/.pycharm_helpers/pydev/pydevd.py", line 1483, in _exec
pydev_imports.execfile(file, globals, locals) # execute the script
File "/home/ec2-user/.pycharm_helpers/pydev/_pydev_imps/_pydev_execfile.py", line 18, in execfile
exec(compile(contents+"\n", file, 'exec'), glob, loc)
File "/home/ec2-user/AD_Audit_Automation/whoami.py", line 22, in <module>
with client.connect() as conn:
File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapclient.py", line 588, in connect
return LDAPConnection(self).open(timeout)
File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapconnection.py", line 297, in open
return super().open(timeout)
File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapconnection.py", line 53, in open
return self._evaluate(super().open(), timeout)
File "/usr/local/lib64/python3.7/site-packages/bonsai-1.2.1-py3.7-linux-x86_64.egg/bonsai/ldapconnection.py", line 246, in _evaluate
return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Client 'distinguished_name@domain.com' not found in Kerberos database. (KRB5_ERROR 0x96c73a06) (0x0031 [49])
The same works on my macbook after generating the ticket with kinit.
I noted the following -
config['DOMAIN_1']['URL']
from ldap://domain.com
to ldap://specific_server.com
and remove the username, password and realm
the code works. I have to do both as I just remove the username, password and realm
I get -
bonsai.errors.LDAPError: Local error. SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (0xFFFE [-2])
I looked into it a little:
On mac - No problem. I logged into using the credentials I needed during the deevelopment. On Linux - So I ran into the caps problem when I was trying to generate the ticket using Kinit from that point onwards I converted everything to the upper case. My krb5.conf looks okay -
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
rdns = false
Not sure where I can find the kdc.conf I looked into the directories mentioned in - https://manpages.ubuntu.com/manpages/bionic/man5/kdc.conf.5.html
couldn't find that in /etc/krb5kdc
or in KRB5_KDC_PROFILE
Oh, sorry I meant krb5.conf, not kdc.conf (that's the server's configuration).
So using an upper-case realm for the LDAPClient.set_credentials
's realm param did not help to avoid the authentication error on Linux?
It did not work. I get - bonsai.errors.LDAPError: Local error. SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (0xFFFE [-2])
error. Is there a reason why it does not resolve to the nearest domain server? Also If there are multiple referrals the script would break.
Edit- I meant referral if I query an AD Group that has a group from a different domain with member in multiple other domains.
How do I connect to a trusting domain in different forest? Is there any guidance around it?
I tried to connect to the trusting domain by providing the credentials of my base domain. My user account is created in "Domain_1" which is under "Master_Domain_1". I can authenticate to both these domains. I have Master_Domain_2 which is a separate forest that has "Domain_2" domain.
This code is successful when I change the DOMAIN_1 to Master_Domain_1 as well. When I change the
server_name
to reference the Domain_2 or Master_Domain_2 (also changed the base variable) where I have bi-directional trust I am not able to authenticate and I get the following error forconn = client.connect()
-bonsai.errors.AuthenticationError: Invalid credentials. 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 (0x0031 [49])
The debug logs are -
What should I do differently ? I kept the user identity to my original domain_1 id and password as I use the same to authenticate with Powershell. (but RSAT module code be doing something in the background)