GSSAPI uses wrong FQDN and realm [Solved]

Lars Hanke debian at lhanke.de
Fri Jun 13 12:53:35 EDT 2014 

Thanks for the answer. In parallel I ran strace, found that /etc/hosts 
is read, and that the latter resolves the IP to samba.mgr. After 
changing /etc/hosts everything worked fine. GSSAPI then seems to 
auto-deduce the realm from the FQDN despite the default domain given in 
/etc/krb5.conf.


Am 13.06.2014 17:35, schrieb Dan White:
> On 06/13/14 11:31 +0200, Lars Hanke wrote:
>> I'm currently setting up an ADC using samba4 and try to query the
>> integrated LDAP using Kerberos authentication. This works in
>> principle, but fails with ldapsearch SASL GSSAPI. The error message
>> hints that somehow the wrong principal and realm are used.
>>
>> root at samba:/# ldbsearch -H ldap://samba.ad.microsult.de -k yes
>> '(sAMAccountName=mgr)' > /dev/null
>> root at samba:/# klist
>
>> ldap/samba.ad.microsult.de at AD.MICROSULT.DE
>
>> root at samba:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H
>> ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>>        additional info: SASL(-1): generic failure: GSSAPI Error:
>> Miscellaneous failure (see text) (Matching credential
>> (ldap/samba.mgr at MGR) not found)
>
> Check your KDC logs, which could indicate a server side issue (I'm not
> familiar with ldbsearch or why it may work when ldapsearch doesn't).
>
> If so, you may need to explicitly set olcSaslHost/olcSaslRealm, assuming
> that you are using slapd.
>
>> root at samba:/# host samba.ad.microsult.de
>> samba.ad.microsult.de has address 172.16.6.240
>> root at samba:/# host 172.16.6.240
>> 240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
>> root at samba:/# host samba.uac.microsult.de
>> samba.uac.microsult.de has address 172.16.6.240
>> root at samba:/# host samba.mgr
>> samba.mgr has address 172.16.6.240
>
> Is it possible you have IPv6 in the mix? Try explicitly passing -6. Check
> /etc/hosts as well.
>
>> root at samba:/# cat /etc/krb5.conf
>> [libdefaults]
>>        default_realm = AD.MICROSULT.DE
>>        dns_lookup_realm = false
>>        dns_lookup_kdc = true
>

More information about the Cyrus-sasl mailing list