GSSAPI uses wrong FQDN and realm

Lars Hanke debian at lhanke.de
Fri Jun 13 05:31:05 EDT 2014 

I'm currently setting up an ADC using samba4 and try to query the 
integrated LDAP using Kerberos authentication. This works in principle, 
but fails with ldapsearch SASL GSSAPI. The error message hints that 
somehow the wrong principal and realm are used.

root at samba:/# kinit Administrator
Administrator at AD.MICROSULT.DE's Password:
root at samba:/# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: Administrator at AD.MICROSULT.DE

   Issued                Expires               Principal
Jun 13 11:15:06 2014  Jun 13 21:15:02 2014 
krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
root at samba:/# ldbsearch -H ldap://samba.ad.microsult.de -k yes 
'(sAMAccountName=mgr)' > /dev/nullroot at samba:/# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: Administrator at AD.MICROSULT.DE

   Issued                Expires               Principal
Jun 13 11:15:06 2014  Jun 13 21:15:02 2014 
krbtgt/AD.MICROSULT.DE at AD.MICROSULT.DE
Jun 13 11:15:35 2014  Jun 13 21:15:02 2014 
ldap/samba.ad.microsult.de at AD.MICROSULT.DE
root at samba:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H 
ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
         additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous failure (see text) (Matching credential 
(ldap/samba.mgr at MGR) not found)
root at samba:/# host samba.ad.microsult.de
samba.ad.microsult.de has address 172.16.6.240
root at samba:/# host 172.16.6.240
240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
root at samba:/# host samba.uac.microsult.de
samba.uac.microsult.de has address 172.16.6.240
root at samba:/# host samba.mgr
samba.mgr has address 172.16.6.240

There are deliberately several domains resolving to the same IP. .mgr is 
going to phase out, and I'm not yet sure how to integrate the AD DNS 
into my infrastructure. "grep -nR MGR /etc" has no hits, i.e. the realm 
is not defined anywhere.

root at samba:/# cat /etc/krb5.conf
[libdefaults]
         default_realm = AD.MICROSULT.DE
         dns_lookup_realm = false
         dns_lookup_kdc = true

Any idea why GSSAPI converts samba.ad.microsult.de to samba.mgr and how 
it concludes that MGR is the proper realm?

Thanks for your help,
  - lars.

More information about the Cyrus-sasl mailing list