On Mon, 2017-03-06 at 09:38 +0100, Sumit Bose wrote: > On Mon, Mar 06, 2017 at 09:27:56AM +0100, [email protected] wrote: > > Hello, > > > > I have a Problem to auth. the identity of a principal to a NAT'ed > > Server via gssapi. > > Our KDC/LDAP is externally available through a NAT_IP (and NAT_HOSTNAME) > > > > The Connection to the Server looks fine: > > ------------------------------------------ > > nc -v NAT_IP 389 > > Ncat: Version 6.40 ( http://nmap.org/ncat ) > > Ncat: Connected to NAT_IP:389. > > ------------------------------------------ > > > > relevant part of: /etc/sssd/sssd.conf > > ------------------------------------------ > > [domain/XXXXX.XX] > > > > ldap_sasl_mech = gssapi > > ldap_sasl_authid = host/FQDN_HOST > > ldap_sasl_canonicalize = false > > ldap_user_principal = userPrincipalName > > ldap_krb5_keytab = /etc/krb5.keytab > > ldap_krb5_init_creds = true > > ldap_krb5_ticket_lifetime = 86400 > > sudo_provider = ldap > > access_provider = ldap > > ldap_access_order = host > > ------------------------------------------ > > > > > > After restarting the sssd Daemon, i got the following Error Message > > (sssd_DOMAIN.log): > > > > ------------------------------------------ > > [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: > > host/FQDN_HOST > > [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] > > [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic > > failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide > > more information (Server not found in Kerberos database)] > > [sdap_cli_connect_recv] (0x0040): Unable to establish connection > > [1432158225]: Authentication Failed > > [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. > > Called from: src/providers/ldap/sdap_async_connection.c: > > sdap_cli_connect_recv: 2048 > > [fo_set_port_status] (0x0100): Marking port 389 of server 'NAT_IP' as > > 'not working' > > [fo_set_port_status] (0x0400): Marking port 389 of duplicate server > > 'NAT_IP' as 'not working > > ------------------------------------------ > > > > After spending some time to this Problem, i could limit the Problem to a > > DNS reverse lookup Problem during the gssapi authentication. > > It is in general recommended to disable reverse lookups for > Kerberos/GSSAPI/SASL to avoid this kind of issues. On Fedora and RHEL it > is disabled by default by setting: > > rdns = false
You may also need to add: dns_canonicalize_hostname = false HTH, Simo. > in /etc/krb5.conf and > > SASL_NOCANON on > > in /etc/openldap/ldap.conf. > > HTH > > bye, > Sumit > > > > > If i set the following entry into /etc/hosts all works fine, but this > > Solution is not practicable for me: > > > > NAT_IP REAL_HOSTNAME > > > > > > Perhaps you have some clues for me to solve this Problem? > > > > > > Thanks & greets > > > > Steffen > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
