GSSAPI uses wrong FQDN and realm
Dan White
dwhite at olp.net
Fri Jun 13 11:35:45 EDT 2014
On 06/13/14 11:31 +0200, Lars Hanke wrote:
>I'm currently setting up an ADC using samba4 and try to query the
>integrated LDAP using Kerberos authentication. This works in
>principle, but fails with ldapsearch SASL GSSAPI. The error message
>hints that somehow the wrong principal and realm are used.
>
>root at samba:/# ldbsearch -H ldap://samba.ad.microsult.de -k yes
>'(sAMAccountName=mgr)' > /dev/null
>root at samba:/# klist
>ldap/samba.ad.microsult.de at AD.MICROSULT.DE
>root at samba:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H
>ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' >
>/dev/null
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
>Miscellaneous failure (see text) (Matching credential
>(ldap/samba.mgr at MGR) not found)
Check your KDC logs, which could indicate a server side issue (I'm not
familiar with ldbsearch or why it may work when ldapsearch doesn't).
If so, you may need to explicitly set olcSaslHost/olcSaslRealm, assuming
that you are using slapd.
>root at samba:/# host samba.ad.microsult.de
>samba.ad.microsult.de has address 172.16.6.240
>root at samba:/# host 172.16.6.240
>240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
>root at samba:/# host samba.uac.microsult.de
>samba.uac.microsult.de has address 172.16.6.240
>root at samba:/# host samba.mgr
>samba.mgr has address 172.16.6.240
Is it possible you have IPv6 in the mix? Try explicitly passing -6. Check
/etc/hosts as well.
>root at samba:/# cat /etc/krb5.conf
>[libdefaults]
> default_realm = AD.MICROSULT.DE
> dns_lookup_realm = false
> dns_lookup_kdc = true
--
Dan White
More information about the Cyrus-sasl
mailing list