On Mon, Mar 06, 2017 at 09:27:56AM +0100, [email protected] wrote: > Hello, > > I have a Problem to auth. the identity of a principal to a NAT'ed > Server via gssapi. > Our KDC/LDAP is externally available through a NAT_IP (and NAT_HOSTNAME) > > The Connection to the Server looks fine: > ------------------------------------------ > nc -v NAT_IP 389 > Ncat: Version 6.40 ( http://nmap.org/ncat ) > Ncat: Connected to NAT_IP:389. > ------------------------------------------ > > relevant part of: /etc/sssd/sssd.conf > ------------------------------------------ > [domain/XXXXX.XX] > > ldap_sasl_mech = gssapi > ldap_sasl_authid = host/FQDN_HOST > ldap_sasl_canonicalize = false > ldap_user_principal = userPrincipalName > ldap_krb5_keytab = /etc/krb5.keytab > ldap_krb5_init_creds = true > ldap_krb5_ticket_lifetime = 86400 > sudo_provider = ldap > access_provider = ldap > ldap_access_order = host > ------------------------------------------ > > > After restarting the sssd Daemon, i got the following Error Message > (sssd_DOMAIN.log): > > ------------------------------------------ > [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: > host/FQDN_HOST > [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] > [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic > failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more information (Server not found in Kerberos database)] > [sdap_cli_connect_recv] (0x0040): Unable to establish connection > [1432158225]: Authentication Failed > [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. > Called from: src/providers/ldap/sdap_async_connection.c: > sdap_cli_connect_recv: 2048 > [fo_set_port_status] (0x0100): Marking port 389 of server 'NAT_IP' as > 'not working' > [fo_set_port_status] (0x0400): Marking port 389 of duplicate server > 'NAT_IP' as 'not working > ------------------------------------------ > > After spending some time to this Problem, i could limit the Problem to a > DNS reverse lookup Problem during the gssapi authentication.
It is in general recommended to disable reverse lookups for Kerberos/GSSAPI/SASL to avoid this kind of issues. On Fedora and RHEL it is disabled by default by setting: rdns = false in /etc/krb5.conf and SASL_NOCANON on in /etc/openldap/ldap.conf. HTH bye, Sumit > > If i set the following entry into /etc/hosts all works fine, but this > Solution is not practicable for me: > > NAT_IP REAL_HOSTNAME > > > Perhaps you have some clues for me to solve this Problem? > > > Thanks & greets > > Steffen > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
