On Mon, 2017-03-06 at 09:38 +0100, Sumit Bose wrote:
On Mon, Mar 06, 2017 at 09:27:56AM +0100, knauf(a)patronas.com wrote:
> Hello,
>
> I have a Problem to auth. the identity of a principal to a NAT'ed
> Server via gssapi.
> Our KDC/LDAP is externally available through a NAT_IP (and NAT_HOSTNAME)
>
> The Connection to the Server looks fine:
> ------------------------------------------
> nc -v NAT_IP 389
> Ncat: Version 6.40 (
http://nmap.org/ncat )
> Ncat: Connected to NAT_IP:389.
> ------------------------------------------
>
> relevant part of: /etc/sssd/sssd.conf
> ------------------------------------------
> [domain/XXXXX.XX]
>
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = host/FQDN_HOST
> ldap_sasl_canonicalize = false
> ldap_user_principal = userPrincipalName
> ldap_krb5_keytab = /etc/krb5.keytab
> ldap_krb5_init_creds = true
> ldap_krb5_ticket_lifetime = 86400
> sudo_provider = ldap
> access_provider = ldap
> ldap_access_order = host
> ------------------------------------------
>
>
> After restarting the sssd Daemon, i got the following Error Message
> (sssd_DOMAIN.log):
>
> ------------------------------------------
> [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user:
> host/FQDN_HOST
> [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
> [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> more information (Server not found in Kerberos database)]
> [sdap_cli_connect_recv] (0x0040): Unable to establish connection
> [1432158225]: Authentication Failed
> [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING.
> Called from: src/providers/ldap/sdap_async_connection.c:
> sdap_cli_connect_recv: 2048
> [fo_set_port_status] (0x0100): Marking port 389 of server 'NAT_IP' as
> 'not working'
> [fo_set_port_status] (0x0400): Marking port 389 of duplicate server
> 'NAT_IP' as 'not working
> ------------------------------------------
>
> After spending some time to this Problem, i could limit the Problem to a
> DNS reverse lookup Problem during the gssapi authentication.
It is in general recommended to disable reverse lookups for
Kerberos/GSSAPI/SASL to avoid this kind of issues. On Fedora and RHEL it
is disabled by default by setting:
rdns = false
You may also need to add:
dns_canonicalize_hostname = false
HTH,
Simo.
in /etc/krb5.conf and
SASL_NOCANON on
in /etc/openldap/ldap.conf.
HTH
bye,
Sumit
>
> If i set the following entry into /etc/hosts all works fine, but this
> Solution is not practicable for me:
>
> NAT_IP REAL_HOSTNAME
>
>
> Perhaps you have some clues for me to solve this Problem?
>
>
> Thanks & greets
>
> Steffen
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
--
Simo Sorce * Red Hat, Inc * New York
--
Simo Sorce * Red Hat, Inc * New York