disable reverse lookup for GSSAPI

Lars Hanke debian at lhanke.de
Tue Jul 1 07:02:22 EDT 2014


I try to access my samba4 AD DC using Kerberos authentication. The 
following command works nicely on the DC itself, given that 
Administrator has a ticket. But it fails on the client machine:

root at samba4:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H 
ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Server not found in Kerberos database)

tcpdump showed that ldap/samba.uac.microsult.de is tried as principal, 
which definitely is not in the database. The reason why GSSAPI tries to 
use this FQDN is also obvious from the trace. In fact, both FQDN are the 
same machine, but the reverse lookup returns the uac.microsult.de, 
instead of ad.microsult.de. This is actually how I want it to be.

The search parameter in resolv.conf is set to ad.microsult.de, i.e. even 
looking up samba, returns the correct FQDN for the kerberos domain.

root at samba4:/# host samba
samba.ad.microsult.de has address 172.16.6.240
root at samba4:/# host samba.ad.microsult.de
samba.ad.microsult.de has address 172.16.6.240
root at samba4:/# host samba.uac.microsult.de
samba.uac.microsult.de has address 172.16.6.240
root at samba4:/# host 172.16.6.240
240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.

Is there any way to stop GSSAPI from the reverse lookup?

I use the MIT flavor libraries. Is it probably better using Heimdal?

Thanks for your help,
  - lars.



More information about the Cyrus-sasl mailing list