[Pkg-openldap-devel] ldap/localhost TGS requested for remote ldapsearch request
Dan White
dwhite at olp.net
Tue Apr 17 16:39:43 BST 2018
On 04/17/18 12:05 +0000, marlox at ouda.fr wrote:
>When I query ldap service on SRV_B with ldapsearch from SRV_A,
>the requested TGS to the KDC is ldap/localhost or ldap/SRV_A.REALM and
>not ldap/SRV_B.REALM.
>I expect to send ldap/SRV_B.REALM TGS but I may miss something in the intended behaviour.
>
>Here is a transcript (from SRV_A) : (REALM = DOMAIN.TLD)
>
># kinit user
>Password for user at REALM:
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: user at REALM
>
>Valid starting Expire Service principal
>********** ****** krbtgt/REALM at REALM
> renew until ******
># ldapsearch -H ldap://SRV_B.domain.tld -LLL -b dc=domain,dc=tld
># strace yy -y -s 128 -o dump.log ldapsearch -H ldap://SRV_B.domain.tld -LLL -b dc=domain,dc=tld
># grep :88 dump.log | tail -n2 # Anonymised
>read(5<TCP:[IP_SRV_A:5####->IP_SRV_B:88]>, "...\17REALM\252)...ldap\33srv_a.domain.tld..., 343) = 343
>close(5<TCP:[IP_SRV_A:5####->IP_SRV_B:88]>) = 0
This has the feel of a DNS/host resolution issue. Do you have PTR records
configured appropriately?
>In my first investigation, i had ldap/localhost that was requested and I have done the following modification.
>In /etc/hosts, i also SRV_A.domain.tls with 127.0.0.1
This seems problematic. From the perspective of your KDC, it will have
difficulty establishing which service tickets to provide without a clear
distinction/delineation as to which host owns which IP.
I suggest moving away from any mention of 127.0.0.1 as least from the KDC's perspective.
>In [domain_realms] section of REALM, i added the following statement,
> localhost = REALM
>
>For information, SRV_A is integrated in domain through SSSD and SRV_B is a domain controller.
>Configuration file are :
>/etc/ldap/ldap.conf:
>BASE dc=domain,dc=tld
>URI ldap://SRV_B.domain.tld
>EOF
>
>/etc/krb5.conf:
>[libdefaults]
> default_realm = REALM
> rdns = false
Be sure you know what you're doing here. This does not appear to be default
configuration.
Please review https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html
>Other system information:
>
>I use Debian 9.1 linux 4.9.0-3-amd64 and following packages:
>* libc6 2.24-11+deb9u1
>* libldap-common 2.4.44+dfsg-5+deb9u1
> (idem version for libldap-*)
>* krb5-config 2.5
>* krb5-usr 1.15-1+deb9u1
> (idem version for libkrb5* and ssd-krb5*)
>* libsasl2-2 2.1.27~101-g0780600+dfsg-3
> (idem version for libsasl2-modules*)
>
>I have to admit that I don't know if the issue is related to ldap-utils, cyrus-sasl or kerberos but
>ldap-utils packages seems to be the most relevant one.
Most likely if this behavior is the result of a bug, it is either with
cyrus-sasl or the underlying kerberos library (mit).
More information about the Pkg-openldap-devel
mailing list