App hangs on secure=self.encrypt_connections

[kerryhatcher]

Summary

When attempting to connect to the AD domain, my script hangs at secure=self.encrypt_connections in ms_active_directory/core/ad_domain.py(456). I'm not sure what is going on in the background could have something to do with whatever TLS/etc implementation is in the OS. Is there a way to get more debug info out of the package?

Env Details

OS: Amazon Linux 2 Server: EC2 t3.small Installed via Poetry Ran via: poetry run python3 ad_demo

Last few lines of python debugger

(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(440)__init__()
-> self.site = site.lower() if site else None
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(441)__init__()
-> self.encrypt_connections = encrypt_connections
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(442)__init__()
-> self.ca_certificates_file_path = ca_certificates_file_path
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(443)__init__()
-> self.ldap_servers = []
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(444)__init__()
-> self.ldap_uris = []
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(445)__init__()
-> self.kerberos_uris = []
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(446)__init__()
-> self.dns_nameservers = dns_nameservers
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(447)__init__()
-> self.source_ip = source_ip
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(448)__init__()
-> self.netbios_name = netbios_name
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(449)__init__()
-> self.auto_configure_kerberos_client = auto_configure_kerberos_client
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(450)__init__()
-> self._sid = None
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(452)__init__()
-> if not ldap_servers_or_uris and discover_ldap_servers:
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(453)__init__()
-> ldap_servers_or_uris = discover_ldap_domain_controllers_in_domain(self.domain, site=self.site,
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(454)__init__()
-> dns_nameservers=self.dns_nameservers,
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(455)__init__()
-> source_ip=self.source_ip,
(Pdb) next
> /home/ec2-user/.cache/pypoetry/virtualenvs/ad-demo-UzGUOutx-py3.7/lib/python3.7/site-packages/ms_active_directory/core/ad_domain.py(456)__init__()
-> secure=self.encrypt_connections)
(Pdb) next

Higher level debug

(ad-demo-py3.7) [ec2-user@ip-10-204-222-57 ad-api]$ poetry run python3 ad_demo                                                                                │······································································
2023-03-15 17:00:32.982 | DEBUG    | __main__:<module>:7 - Startin script                                                                                     │······································································
> /home/ec2-user/ad-api/ad_demo/__main__.py(11)<module>()                                                                                                     │······································································
-> example_domain_dns_name = "xxxxxxxxx"                                                                                                                         │······································································
(Pdb) next                                                                                                                                                    │······································································
> /home/ec2-user/ad-api/ad_demo/__main__.py(12)<module>()                                                                                                     │······································································
-> domain = ADDomain(example_domain_dns_name)                                                                                                                 │······································································
(Pdb) next                                                                                                                                                    │······································································
                                                                                                                                                              │······································································

Redacted Code

from ms_active_directory import ADDomain

from loguru import logger

import pdb

logger.debug("Startin script")

pdb.set_trace()

example_domain_dns_name = "********"
domain = ADDomain(example_domain_dns_name)
ldap_servers = domain.get_ldap_uris()
kerberos_servers = domain.get_kerberos_uris()

logger.debug("startin discovery")

# re-discover servers in dns and sort them by RTT again at a later time to pick up changes
domain.refresh_ldap_server_discovery()
domain.refresh_kerberos_server_discovery()

logger.debug("creating session")

session = domain.create_session_as_user(
    "***************", "*******************"
)

logger.debug("finding data")

user = session.find_user_by_sam_name("**************", ["employeeID"])
group = session.find_group_by_sam_name(
    "**************", ["gidNumber"]
)
# users and groups support a generic "get" for any attributes queried
print(user.get("employeeID"))
print(group.get("gidNumber"))

nslookup

The server appears to be able to resolve the domain controllers OK:

[zorn96]

hi @kerryhatcher ! if you set the log level then you can get a bit more detail

        conn.open()
        logger.debug('Opened connection to AD domain %s: %s', self.domain, conn)
        if self.encrypt_connections:
            # if we're using LDAPS, don't StartTLS
            if not conn.server.ssl:
                tls_started = conn.start_tls()
                if not tls_started:
                    raise DomainConnectException('Unable to StartTLS on connection to domain. Please check the '
                                                 'server(s) to ensure that they have properly configured certificates.')
            logger.debug('Successfully secured connection to AD domain %s', self.domain)

unsure if the underlying python ssl has more logging available (this all builds on that)

can you maybe wireshark it? it's possible that your network is the issue. a bad MTU size can fragment packets, which makes TLS negotiation hang because the packets keep getting re-transmitted. that's the only scenario where I've seen normal connections work, but TLS hang

maybe check that out?