[Pkg-openldap-devel] ldap/localhost TGS requested for remote ldapsearch request

marlox at ouda.fr marlox at ouda.fr
Tue Apr 17 13:05:26 BST 2018 

Package: ldap-utils
Version: 2.4.44+dfsg-5+deb9u1
Severity: minor

When I query ldap service on SRV_B with ldapsearch from SRV_A,
the requested TGS to the KDC is ldap/localhost or ldap/SRV_A.REALM and
not ldap/SRV_B.REALM.
I expect to send ldap/SRV_B.REALM TGS but I may miss something in the intended behaviour.

Here is a transcript (from SRV_A) : (REALM = DOMAIN.TLD)

# kinit user
Password for user at REALM: 
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user at REALM

Valid starting	Expire	Service principal
**********      ******	krbtgt/REALM at REALM
      renew until ******
# ldapsearch -H ldap://SRV_B.domain.tld -LLL -b dc=domain,dc=tld
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
# strace yy -y -s 128 -o dump.log ldapsearch -H ldap://SRV_B.domain.tld -LLL -b dc=domain,dc=tld
# grep :88 dump.log | tail -n2 # Anonymised
read(5<TCP:[IP_SRV_A:5####->IP_SRV_B:88]>, "...\17REALM\252)...ldap\33srv_a.domain.tld..., 343) = 343
close(5<TCP:[IP_SRV_A:5####->IP_SRV_B:88]>) = 0

Wireshark give me the following Kerberos message :
SRV_A -> SRV_B : TGS-REQ
	and with sname of req-body set to "ldap" and "domain.tld"
SRV_B -> SRV_A : KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

In my first investigation, i had ldap/localhost that was requested and I have done the following modification.
In /etc/hosts, i also SRV_A.domain.tls with 127.0.0.1
In [domain_realms] section of REALM, i added the following statement,
	localhost = REALM

For information, SRV_A is integrated in domain through SSSD and SRV_B is a domain controller.
Configuration file are :
/etc/ldap/ldap.conf:
BASE dc=domain,dc=tld
URI ldap://SRV_B.domain.tld
EOF

/etc/krb5.conf:
[libdefaults]
    default_realm = REALM
    rdns = false
    forwadable = true
    default_tkt_enctypes = [...]
    default_tgs_enctypes = [...]
    permitted_enctypes = [...]

[realms]
    REALM = {
        auth_to_local = ...
        auth_to_local = DEFAULT
    }

[domain_realm]
   domain.tld = REALM
   .domain.tld = REALM
   localhost = REALM

[logging]
   default = SYSLOG
   kdc = SYSLOG
   admin-server = SYSLOG
EOF

Other system information:

I use Debian 9.1 linux 4.9.0-3-amd64 and following packages:
* libc6	2.24-11+deb9u1
* libldap-common 2.4.44+dfsg-5+deb9u1
  (idem version for libldap-*)
* krb5-config 2.5
* krb5-usr 1.15-1+deb9u1
  (idem version for libkrb5* and ssd-krb5*)
* libsasl2-2 2.1.27~101-g0780600+dfsg-3
  (idem version for libsasl2-modules*)

I have to admit that I don't know if the issue is related to ldap-utils, cyrus-sasl or kerberos but
ldap-utils packages seems to be the most relevant one.

Thank you for your help,
Marlox

More information about the Pkg-openldap-devel mailing list