On Wed, Jun 24, 2015 at 08:48:29PM +0000, Carl Pettersson (EXT BN) wrote:
> > > > Ldapsearch does not look good:
> > > > # ldapsearch -h
foo-ad02.a.foo.com -Y GSSAPI -b OU=...
> > > > SASL/GSSAPI authentication started
> > > > ldap_sasl_interactive_bind_s: Local error (-2)
> > > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > > > Unspecified GSS failure. Minor code may provide more information
> > > > (Cannot determine realm for numeric host address)
> > > >
> > > > And this I guess comes back to the DNS records? Because in
ad.example.com, both A and PTR look good, but if I lookup from
foo-ad02.a.foo.com, I can
only resolve the A record. It looks like that domain only has conditional forwarders for
the forward zone, not reverse.
> > >
> > > OK, then I think this is the issue. btw it help to add -N to the
ldapsearch options to tell libldap to not canonicalize the hostnames?
> >
> > Yes, -N allowed me to query the other domain, when I used the myuser-ticket.
>
> Interesting, I /thought/ that's what we did in SSSD as well..I'll check the
code again.
>
> > Removing that, however, I get the same error as before. I'm not familiar
with ldapsearch, but I tried using -U 'MACHINE$(a)AD.EXAMPLE.COM' to make it use
the machine ticket, but that didn't seem to work.
>
> If you kinit with -k as shown above, then the acquired ticket should be used
automatically.
>
Ah, that did it! However, ldapsearch with this ticket gives the not found in database
error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in Kerberos database)
Do you by chance have 'rdns = true' in krb5.conf (or not set at all,
because the default is true). If this is the case please set it to
'rdns = false'.
If there are still issues please send the output of
KRB5_TRACE=/dev/stdout ldapsearch -Y GSSAPI ....
which will give more detailed information about Kerberos authentication.
HTH
bye,
Sumit
> >
> > >
> > > Would it help if you add a record to /etc/hosts?
> > >
> >
> > My hosts-file contains only this row:
> > 127.0.0.1
machine.ad.example.com machine localhost
> >
> > Should that be enough, or do you mean some other row?
>
> I meant to use the public IP for
machine.ad.example.com
Added that, but it seemed to have no impact on the results of ldapsearch.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users