GSSAPI uses wrong FQDN and realm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm currently setting up an ADC using samba4 and try to query the integrated LDAP using Kerberos authentication. This works in principle, but fails with ldapsearch SASL GSSAPI. The error message hints that somehow the wrong principal and realm are used. 

root@samba:/# kinit Administrator
Administrator@xxxxxxxxxxxxxxx's Password:
root@samba:/# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@xxxxxxxxxxxxxxx

  Issued                Expires               Principal
Jun 13 11:15:06 2014 Jun 13 21:15:02 2014 krbtgt/AD.MICROSULT.DE@xxxxxxxxxxxxxxx root@samba:/# ldbsearch -H ldap://samba.ad.microsult.de -k yes '(sAMAccountName=mgr)' > /dev/nullroot@samba:/# klist 
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@xxxxxxxxxxxxxxx

  Issued                Expires               Principal
Jun 13 11:15:06 2014 Jun 13 21:15:02 2014 krbtgt/AD.MICROSULT.DE@xxxxxxxxxxxxxxx Jun 13 11:15:35 2014 Jun 13 21:15:02 2014 ldap/samba.ad.microsult.de@xxxxxxxxxxxxxxx root@samba:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/samba.mgr@MGR) not found) 
root@samba:/# host samba.ad.microsult.de
samba.ad.microsult.de has address 172.16.6.240
root@samba:/# host 172.16.6.240
240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
root@samba:/# host samba.uac.microsult.de
samba.uac.microsult.de has address 172.16.6.240
root@samba:/# host samba.mgr
samba.mgr has address 172.16.6.240
There are deliberately several domains resolving to the same IP. .mgr is going to phase out, and I'm not yet sure how to integrate the AD DNS into my infrastructure. "grep -nR MGR /etc" has no hits, i.e. the realm is not defined anywhere. 

root@samba:/# cat /etc/krb5.conf
[libdefaults]
        default_realm = AD.MICROSULT.DE
        dns_lookup_realm = false
        dns_lookup_kdc = true
Any idea why GSSAPI converts samba.ad.microsult.de to samba.mgr and how it concludes that MGR is the proper realm? 

Thanks for your help,
 - lars.
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux