disable reverse lookup for GSSAPI
Lars Hanke
debian at lhanke.de
Tue Jul 1 14:43:57 EDT 2014
Am 01.07.2014 19:32, schrieb Dan White:
> On 07/01/14 13:02 +0200, Lars Hanke wrote:
>> I try to access my samba4 AD DC using Kerberos authentication. The
>> following command works nicely on the DC itself, given that
>> Administrator has a ticket. But it fails on the client machine:
>>
>> root at samba4:/# host samba
>> samba.ad.microsult.de has address 172.16.6.240
>> root at samba4:/# host samba.ad.microsult.de
>> samba.ad.microsult.de has address 172.16.6.240
>> root at samba4:/# host samba.uac.microsult.de
>> samba.uac.microsult.de has address 172.16.6.240
>> root at samba4:/# host 172.16.6.240
>> 240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
>>
>> Is there any way to stop GSSAPI from the reverse lookup?
>>
>> I use the MIT flavor libraries. Is it probably better using Heimdal?
>
> See:
>
> http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
>
> The rdns and dns_canonicalize_hostname options should control dns lookups.
>
Tried rdns, already. Now tried with both options, but still no change. I
guess that SASL does request something specifically. All standard
Kerberos stuff (winbind, PAM, AD joining, ...) works perfectly - and
wouldn't, if these services would also do reverse lookups.
As a work around I can list the AD DC in /etc/hosts and SASL GSSAPI
(ldapsearch) works, but this somehow counters the idea of DNS.
More ideas?
Thanks for your help,
- lars.
More information about the Cyrus-sasl
mailing list