I try to access my samba4 AD DC using Kerberos authentication. The
following command works nicely on the DC itself, given that
Administrator has a ticket. But it fails on the client machine:
root@samba4:/# ldapsearch -b "dc=ad,dc=microsult,dc=de" -H
ldap://samba.ad.microsult.de -Y GSSAPI '(sAMAccountName=mgr)' > /dev/null
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
tcpdump showed that ldap/samba.uac.microsult.de is tried as principal,
which definitely is not in the database. The reason why GSSAPI tries to
use this FQDN is also obvious from the trace. In fact, both FQDN are the
same machine, but the reverse lookup returns the uac.microsult.de,
instead of ad.microsult.de. This is actually how I want it to be.
The search parameter in resolv.conf is set to ad.microsult.de, i.e. even
looking up samba, returns the correct FQDN for the kerberos domain.
root@samba4:/# host samba
samba.ad.microsult.de has address 172.16.6.240
root@samba4:/# host samba.ad.microsult.de
samba.ad.microsult.de has address 172.16.6.240
root@samba4:/# host samba.uac.microsult.de
samba.uac.microsult.de has address 172.16.6.240
root@samba4:/# host 172.16.6.240
240.6.16.172.in-addr.arpa domain name pointer samba.uac.microsult.de.
Is there any way to stop GSSAPI from the reverse lookup?
I use the MIT flavor libraries. Is it probably better using Heimdal?
Thanks for your help,
- lars.
