Find the answer to your Linux question:
Results 1 to 3 of 3
Hello, I'm trying to set up a unified network infrastructure using kerberos and ldap, and am almost finished, but am running into a problem, the cause of which I cannot ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2007
    Posts
    2

    Kerberos, LDAP Reverse DNS


    Hello,
    I'm trying to set up a unified network infrastructure using kerberos and ldap, and am almost finished, but am running into a problem, the cause of which I cannot determine.
    Before explaining the problem, I have to explain my network structure somewhat. The LAN is both IPv4 and IPv6-enabled, with each server having a public IPv6 address (with correct forward and reverse DNS records), and a NAT IPv4 address in the range 10.5.10.0/24 . All IPv4 IPs are NAT'd behind the global IPv4 address 69.61.141.122 . I have full control over forward IPv4 DNS, forward IPv6 DNS, and reverse IPv6 DNS, but not over reverse IPv4 DNS for the 69.61.141.122 IP. I'm trying to get kerberos and ldap working completely over IPv6, and I thought I was successful.
    The kerberos KDC and the OpenLDAP slapd are running on the same host, gauss.cluenet.org . This forward/reverse resolves to its own IPv6 address and forward resolves to 69.61.141.122 IPv4. However, 69.61.141.122 resolves to a single hostname not within .cluenet.org .
    I have slapd set up to use SASL/GSSAPI authentication and it seems to be mainly working, but for a problem with the authentication on other machines. I have the ldap service principle set up under ldap/gauss.cluenet.org@CLUENET.ORG .
    The first host which I am using to make a kerberos/ldap service is called newton.cluenet.org . The problem I am running in to involves using ldapsearch from that machine. I am almost positive that there's no problem with my krb5.conf file, but here's my ldap.conf file:
    BASE dc=cluenet,dc=org
    URI ldaps://ldap.cluenet.org
    TLS_REQCERT allow
    SASL_REALM cluenet.org
    Where ldap.cluenet.org is a CNAME to gauss.cluenet.org .
    The problem is that the ldapsearch command does not work under normal circumstances. When executed, it gives this error:
    newton:~# ldapsearch
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
    This is accompanied by the following entries in the KDC log (on gauss.cluenet.org):
    Feb 18 10:41:32 gauss krb5kdc[6309](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 2002:453d:8d7a:aaaa:250:8bff:fef1:9d39: UNKNOWN_SERVER: authtime 1171812597, chules[at]CLUENET.ORG for krbtgt/NET@CLUENET.ORG, Server not found in Kerberos database
    Feb 18 10:41:32 gauss krb5kdc[6309](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 2002:453d:8d7a:aaaa:250:8bff:fef1:9d39: UNKNOWN_SERVER: authtime 1171812597, chules[at]CLUENET.ORG for krbtgt/ORG@CLUENET.ORG, Server not found in Kerberos database
    Feb 18 10:41:32 gauss krb5kdc[6309](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 2002:453d:8d7a:aaaa:250:8bff:fef1:9d39: UNKNOWN_SERVER: authtime 1171812597, chules[at]CLUENET.ORG for krbtgt/NET@CLUENET.ORG, Server not found in Kerberos database
    Feb 18 10:41:32 gauss krb5kdc[6309](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 2002:453d:8d7a:aaaa:250:8bff:fef1:9d39: UNKNOWN_SERVER: authtime 1171812597, chules[at]CLUENET.ORG for krbtgt/ORG@CLUENET.ORG, Server not found in Kerberos database

    (Note that @ signs were replaced with [at] here to prevent spambots from crawling them as emails)

    While experimenting, I found that adding the following entry in /etc/hosts on newton.cluenet.org causes the ldapsearch command to work:
    69.61.141.122 gauss.cluenet.org
    Because gauss.cluenet.org already forward resolves to the IPv4 address 69.61.141.122, I can only surmise that somewhere a reverse lookup is done on 69.61.141.122 . Also, changing the entry to:
    10.5.10.246 gauss.cluenet.org
    Works as well, where 10.5.10.246 is gauss's local LAN address.

    My questions are:
    1. How do I make it stop performing IPV4 lookups and change it completely to IPv6?
    2. At what point in the sequence of events is this lookup made?
    3. Why does changing the /etc/hosts on the service host change authentication on the server?
    4. Where did the strange (nonexistant) principals listed in the KDC logs come from?

    Any help at all would be greatly appreciated. I've been trying to get this to work for a while, but am stuck with this. Thanks a lot.

    Chris

  2. #2
    Just Joined!
    Join Date
    Feb 2007
    Posts
    41
    I don't know much about ldap, but you have already answered this question:

    Why does changing the /etc/hosts on the service host change authentication on the server?
    Because its requires reverse DNS to work properly.

  3. #3
    Just Joined!
    Join Date
    Feb 2007
    Posts
    2
    Well, the operative word there was "service host" as opposed to the KDC.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •