[Pkg-openldap-devel] Bug#696207: Bug#696207: ldapsearch sets Kerberos principle incorrectly over IPv6
Russ Allbery
rra at debian.org
Tue Dec 18 04:23:01 UTC 2012
Brian May <brian at microcomaustralia.com.au> writes:
> With libsasl2-modules-gssapi-mit installed.
> root at tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
> uid=aspiers -H ldap://sys11.ad.vpac.org/ -A
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information (Cannot
> determine realm for numeric host address)
> With libsasl2-modules-gssapi-heimdal installed.
> root at tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
> uid=aspiers -H ldap://sys11.ad.vpac.org/ -A
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (see text) (Matching credential (ldap/
> 2001:388:60ac:10d:214:85ff:fef6:8a5 at AD.VPAC.ORG) not found)
> It should not be trying to use ldap/
> 2001:388:60ac:10d:214:85ff:fef6:8a5 at AD.VPAC.ORG, it should use the name I
> specified on the command line, i.e. ldap/sys11.ad.vpac.org at AD.VPAC.ORG
If you add:
rdns = false
to the [libdefaults] section of your /etc/krb5.conf, does it then work
with MIT? (I'm not sure what the corresponding Heimdal setting; a quick
man page check didn't reveal it.)
I think this is your GSS-API library being excessively helpful and
canonicalizing the host identity with DNS for you, and then getting
confused by whatever nsswitch is returning. This isn't really under the
control of the application; the GSS-API library will do this under the
hood.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-openldap-devel
mailing list