Hello Michael, Thank you so much for your reply.
I never had an issue with my Kerberos configuration but I don't know if pdns needs something else my services already deployed don't need. I've my krb5.conf correctly configured according to my environment: [libdefaults] default_realm = EXAMPLE.COM forwardable = false proxiable = true clockskew = 300 ignore_acceptor_hostname = false noaddresses = false dns_loookup_realm = false dns_lookup_kdc = false allow_weak_cryupto = false default_ccache_name = FILE:/tmp/krb5cc_%{uid} default_tkt_enctypes = camellia256-cts-cmac default_tgs_enctypes = camellia256-cts-cmac [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] [realms] EXAMPLE.COM = { admin_server = server.example.com kdc = server.example.com kdc= serverbackup.example.com } About permissions: -r--r-----1pdnspdns110Feb1812:49/etc/pdns.keytab I gave a shell to the pdns user to test it: usermod -S /bin/bash pdns pdns@server:/> kinit -k -t /etc/pdns.keytab pdns/server.example.com The ticket is being retrieved successfully. But when the service pdns is trying to retrieve it: [LdapBackend] LDAP Servers = ldaps://server.example.com Conn=1543 fd=38 ACCEPT from IP=10.1.1.15:33668 (IP=10.1.1.15:636) Conn=1543 fd=38 TLS established tls_ssf=256 ssf=256 GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) ) [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2 [LDAP GSSAPI] No TGT found, trying to acquire a new one [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by protocol Since pdns is checking the kerberos cache at the very beginning before trying to ask for a ticket to the kdc, I tried to manually store a credential into a credential cache and configure it to the pdns property, just as a troubleshooting: I checked the service principal id: # id pdns/server.example.com uid=30060 (pdns/server.example.com) gid=20000 (Services) groups=20000(Services) I manually asked for a ticket and stored it into a ccache: # kinit -k -t /etc/pdns.keytab -c /tmp/krb5cc_30060 pdns/server.example.com I changed the default kerberos cache for pdns on pdns.conf: ldap-krb5-ccache=/tmp/krb5cc_30060 And checked the ownership and permissions: #ls -la /tmp/krb5cc_30060 -rw-rw-rw-1pdnspdns1116Feb1912:30/tmp/krb5cc_30060 Checked that it's being correctly stored using klist. And still the same result... GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_30060) ) [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2 [LDAP GSSAPI] No TGT found, trying to acquire a new one [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by protocol Honestly, I don't know what could be happening. If you have any idea about this, it would be very appreciated. Thank you so much! Kind Regards. -----Mensaje original----- Date: Fri, 19 Feb 2021 14:50:46 +0100 From: Michael Str?der <mich...@stroeder.com> To: "pdns-users@mailman.powerdns.com" <pdns-users@mailman.powerdns.com> Subject: Re: [Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod' Message-ID: <8cc5a2e4-c647-8683-b3a6-13e2eda9c...@stroeder.com> Content-Type: text/plain; charset=utf-8 On 2/19/21 10:31 AM, Dario Garc?a D?az-Miguel via Pdns-users wrote: > I had to add to the /etc/openldap/ldap.conf the following parameter: > > SASL_MECH GSSAPI FYI: If you don't want to set this globally you can set env var LDAPRC or LDAPCONF to point to a service-specific ldap.conf. See the details in man-page ldap.conf(5). > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available (default cache: > /tmp/krb5cc_0) ) [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned > -2 [LDAP GSSAPI] No TGT found, trying to acquire a new one [LDAP > GSSAPI] krb5 error when getting the TGT: Address family not supported > by protocol Do you have a correctly configured /etc/krb5.conf? Again you can point to a service-specific Kerberos config with env var KRB5_CONFIG. Also check ownership and permissions of your keytab file whether pdns can read it. I'd also check whether it works to get a TGT with the keytab for the expected client principal name. Assuming you're running pdns as user pdns: runuser -u pdns kinit -t /etc/pdns.keytab pdns-service-princi...@realm.example.com I don't have a kerberized setup so all of the above is just from memory. Ciao, Michael. ------------------------------ Subject: Digest Footer _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.powerdns.com_mailman_listinfo_pdns-2Dusers&d=DwICAg&c=CIoxZ4z5BqFvKvSGFOTo726QZIiNTc_M9CmngT-Pla4&r=s4b0BQg-AwMD3kIEG9JKyw&m=Zk6ve8IpUeR8S0tPa6VQKTXNpThmQju3bA50jXVeDZE&s=d7YTbKuN8RdfJKurFb7FBB9RxQIXP999Wi0oILsb-p8&e= ------------------------------ End of Pdns-users Digest, Vol 217, Issue 11 ******************************************* P Please consider the environment before printing this e-mail. _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users