GSSAPI uses wrong FQDN and realm
Lars Hanke
debian at lhanke.de
Fri Jun 13 05:31:05 EDT 2014
I'm currently setting up an ADC using samba4 and try to query the
integrated LDAP using Kerberos authentication. This works in principle,
but fails with ldapsearch SASL GSSAPI. The error message hints that
somehow the wrong principal and realm are used.
root at samba:/# kinit Administrator
Administrator at AD.MICROSULT.DE's Password:
root at samba:/# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator at AD.MICROSULT.DE
Issued Expires Principal
Jun 13 11:15:06 2014 Jun 13 21:15:02 2014
krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
root at samba:/# ldbsearch -H ldap://samba.ad.microsult.de -k yes
'(sAMAccountName=mgr)' > /dev/nullroot at samba:/# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator at AD.MICROSULT.DE
Issued Expires Principal
Jun 13 11:15:06 2014 Jun 13 21:15:02 2014
krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
Jun 13 11:15:35 2014 Jun 13 21:15:02 2014
ldap/samba.ad.microsult.de at AD.MICROSULT.DE
root at samba:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H
ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Matching credential
(ldap/samba.mgr at MGR) not found)
root at samba:/# host samba.ad.microsult.de
samba.ad.microsult.de has address 172.16.6.240
root at samba:/# host 172.16.6.240
240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
root at samba:/# host samba.uac.microsult.de
samba.uac.microsult.de has address 172.16.6.240
root at samba:/# host samba.mgr
samba.mgr has address 172.16.6.240
There are deliberately several domains resolving to the same IP. .mgr is
going to phase out, and I'm not yet sure how to integrate the AD DNS
into my infrastructure. "grep -nR MGR /etc" has no hits, i.e. the realm
is not defined anywhere.
root at samba:/# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.MICROSULT.DE
dns_lookup_realm = false
dns_lookup_kdc = true
Any idea why GSSAPI converts samba.ad.microsult.de to samba.mgr and how
it concludes that MGR is the proper realm?
Thanks for your help,
- lars.
More information about the Cyrus-sasl
mailing list