Hello, I have a Problem to auth. the identity of a principal to a NAT'ed Server via gssapi. Our KDC/LDAP is externally available through a NAT_IP (and NAT_HOSTNAME)
The Connection to the Server looks fine: ------------------------------------------ nc -v NAT_IP 389 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connected to NAT_IP:389. ------------------------------------------ relevant part of: /etc/sssd/sssd.conf ------------------------------------------ [domain/XXXXX.XX] ldap_sasl_mech = gssapi ldap_sasl_authid = host/FQDN_HOST ldap_sasl_canonicalize = false ldap_user_principal = userPrincipalName ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400 sudo_provider = ldap access_provider = ldap ldap_access_order = host ------------------------------------------ After restarting the sssd Daemon, i got the following Error Message (sssd_DOMAIN.log): ------------------------------------------ [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/FQDN_HOST [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158225]: Authentication Failed [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2048 [fo_set_port_status] (0x0100): Marking port 389 of server 'NAT_IP' as 'not working' [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'NAT_IP' as 'not working ------------------------------------------ After spending some time to this Problem, i could limit the Problem to a DNS reverse lookup Problem during the gssapi authentication. If i set the following entry into /etc/hosts all works fine, but this Solution is not practicable for me: NAT_IP REAL_HOSTNAME Perhaps you have some clues for me to solve this Problem? Thanks & greets Steffen _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
