"Xu, Qiang (FXSGSC)" <[email protected]> wrote in message news:d8c9bc7ffcf8154fb7141eb8db609c172905982...@sgpaphq-exscc01.dc01.fujixerox.net... >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Markus Moeller >> Sent: Wednesday, March 25, 2009 7:53 AM >> To: [email protected] >> Subject: Re: SASL authentication >> >> You need to do nslookup sesswin2003.sesswin2003.com or >> nslookup sesswin2003.com or add a search path to your >> resolv.conf file (e.g. search >> sesswin2003.com) > > Yesterday, my resolve.conf was like this: > ================================= > search sgp.fujixerox.com sesswin2003.com > nameserver 13.198.8.83 > nameserver 13.198.96.10 > nameserver 13.198.98.35 > ================================= > To my dismay, it didn't work. The hostname "sesswin2003" still couldn't be > resolved to its IP address. > > Today, with the help of our local SA, the file is changed to: > ================================= > search sgp.fujixerox.com sesswin2003.com > nameserver 13.198.98.35 > nameserver 13.198.96.10 > ================================= > It seems the order of nameserver list is important. Quite strange. Or it > may be the problem of some DNS server. Because if I put the nameserver > 13.198.96.10 in front of 13.198.98.35, it still doesn't work. By right, if > a hostname can't be located by the first nameserver, it should continue to > look for the hostname in the second nameserver, right? >
No it wouldn't. If the first server says unknown domain it is a valid reponse and the next server wouldn't be queried. Only if the first server does not reply the second will be used (afaik) > Anyway, now nslookup works perfectly: > ================================= > q...@durian(pts/1):/etc[17]$ nslookup sesswin2003 > Server: 13.198.98.35 > Address: 13.198.98.35#53 > > Name: sesswin2003.sesswin2003.com > Address: 13.198.98.35 > > q...@durian(pts/1):/etc[18]$ nslookup sesswin2003.sesswin2003.com > Server: 13.198.98.35 > Address: 13.198.98.35#53 > > Name: sesswin2003.sesswin2003.com > Address: 13.198.98.35 > ================================= > For me, it is quite promising. > > Then I did what Michael and Doug told me, i.e. kinit, klist and > ldapsearch: > ================================= > q...@durian(pts/1):/etc[19]$ kinit [email protected] > Password for [email protected]: > > q...@durian(pts/1):/etc[20]$ klist > Ticket cache: FILE:/tmp/krb5cc_20153 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/25/09 17:21:13 03/26/09 03:21:11 > krbtgt/[email protected] > renew until 03/26/09 17:21:13 > > > Kerberos 4 ticket cache: /tmp/tkt20153 > klist: You have no tickets cached > > q...@durian(pts/1):/etc[21]$ ldapsearch -Y GSSAPI -H > 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s > sub -LLL 'cn=xuan' mail > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 > SASL installing layers > dn: CN=xuan,CN=Users,DC=sesswin2003,DC=com > mail: [email protected] > > # > refldap://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003,D > C=com > > # > refldap://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003,D > C=com > > # refldap://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com > ================================= > It works perfectly. Next I will use this as a bench against my own coding. > > Thanks to all, > Xu Qiang > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
