Thanks for the answer. In parallel I ran strace, found that /etc/hosts
is read, and that the latter resolves the IP to samba.mgr. After
changing /etc/hosts everything worked fine. GSSAPI then seems to
auto-deduce the realm from the FQDN despite the default domain given in
/etc/krb5.conf.
Am 13.06.2014 17:35, schrieb Dan White:
On 06/13/14 11:31 +0200, Lars Hanke wrote:
I'm currently setting up an ADC using samba4 and try to query the
integrated LDAP using Kerberos authentication. This works in
principle, but fails with ldapsearch SASL GSSAPI. The error message
hints that somehow the wrong principal and realm are used.
root@samba:/# ldbsearch -H ldap://samba.ad.microsult.de -k yes
'(sAMAccountName=mgr)' > /dev/null
root@samba:/# klist
ldap/samba.ad.microsult.de@xxxxxxxxxxxxxxx
root@samba:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H
ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Matching credential
(ldap/samba.mgr@MGR) not found)
Check your KDC logs, which could indicate a server side issue (I'm not
familiar with ldbsearch or why it may work when ldapsearch doesn't).
If so, you may need to explicitly set olcSaslHost/olcSaslRealm, assuming
that you are using slapd.
root@samba:/# host samba.ad.microsult.de
samba.ad.microsult.de has address 172.16.6.240
root@samba:/# host 172.16.6.240
240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
root@samba:/# host samba.uac.microsult.de
samba.uac.microsult.de has address 172.16.6.240
root@samba:/# host samba.mgr
samba.mgr has address 172.16.6.240
Is it possible you have IPv6 in the mix? Try explicitly passing -6. Check
/etc/hosts as well.
root@samba:/# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.MICROSULT.DE
dns_lookup_realm = false
dns_lookup_kdc = true