OD, Kerberos and DNS

Question

Level 1

0 points

OD, Kerberos and DNS

Hi,
heres the debug log file when im trying to connect to Kerio webmail with an OD user
get the following error
'Cannot resolve network address for KDC in requested realm'
kinit <user> works fine though
any clue ?
tia

Jeff

[18/Nov/2010 16:20:37][2982424576] {dns} Searching DNS for PTR records for IP address 213.30.xx.xx
[18/Nov/2010 16:20:37][2982424576] {dns} Querying server no. 1, address 192.168.165.10
[18/Nov/2010 16:20:37][2982424576] {dns} Got answer
[18/Nov/2010 16:20:37][2982424576] {dns} Valid answer arrived
[18/Nov/2010 16:20:37][2982424576] {dns} PTR record: IP=213.30.xx.xx, name=reverse.completel.net
[18/Nov/2010 16:20:37][2982424576] {dns} Searching DNS for PTR records for IP address 213.30.xx.xx
[18/Nov/2010 16:20:37][2982424576] {dns} Querying server no. 1, address 192.168.165.10
[18/Nov/2010 16:20:37][2982424576] {dns} Got answer
[18/Nov/2010 16:20:37][2982424576] {dns} Valid answer arrived
[18/Nov/2010 16:20:37][2982424576] {dns} PTR record: IP=213.30.xx.xx, name=reverse.completel.net
[18/Nov/2010 16:20:37][2983481344] {dns} Searching DNS for PTR records for IP address 213.30.xx.xx
[18/Nov/2010 16:20:37][2983481344] {dns} Querying server no. 1, address 192.168.165.10
[18/Nov/2010 16:20:37][2983481344] {dns} Got answer
[18/Nov/2010 16:20:37][2983481344] {dns} Valid answer arrived
[18/Nov/2010 16:20:37][2983481344] {dns} PTR record: IP=213.30.xx.xx, name=reverse.completel.net
[18/Nov/2010 16:20:37][2984538112] {dns} Searching DNS for PTR records for IP address 213.30.xx.xx
[18/Nov/2010 16:20:37][2984538112] {dns} Querying server no. 1, address 192.168.165.10
[18/Nov/2010 16:20:37][2984538112] {dns} Got answer
[18/Nov/2010 16:20:37][2984538112] {dns} Valid answer arrived
[18/Nov/2010 16:20:37][2984538112] {dns} PTR record: IP=213.30.xx.xx, name=reverse.completel.net
[18/Nov/2010 16:20:37][2985594880] {dns} Searching DNS for PTR records for IP address 213.30.xx.xx
[18/Nov/2010 16:20:37][2985594880] {dns} Querying server no. 1, address 192.168.165.10
[18/Nov/2010 16:20:37][2985594880] {dns} Got answer
[18/Nov/2010 16:20:37][2985594880] {dns} Valid answer arrived
[18/Nov/2010 16:20:37][2985594880] {dns} PTR record: IP=213.30.xx.xx, name=reverse.completel.net
[18/Nov/2010 16:20:37][2986651648] {dns} Searching DNS for PTR records for IP address 213.30.xx.xx
[18/Nov/2010 16:20:37][2986651648] {dns} Querying server no. 1, address 192.168.165.10
[18/Nov/2010 16:20:37][2986651648] {dns} Got answer
[18/Nov/2010 16:20:37][2986651648] {dns} Valid answer arrived
[18/Nov/2010 16:20:37][2986651648] {dns} PTR record: IP=213.30.xx.xx, name=reverse.completel.net
[18/Nov/2010 16:20:37][2999332864] {ldapdb} 00FB281B-ABCF-4F44-91A1-44B40E26A84E: Looking up in cache...
[18/Nov/2010 16:20:37][2999332864] {ldapdb} 00FB281B-ABCF-4F44-91A1-44B40E26A84E: found in cache admin@2p2l.info
[18/Nov/2010 16:20:39][2998276096] {ldapdb} 00FB281B-ABCF-4F44-91A1-44B40E26A84E: Looking up in cache...
[18/Nov/2010 16:20:39][2998276096] {ldapdb} 00FB281B-ABCF-4F44-91A1-44B40E26A84E: found in cache admin@2p2l.info
[18/Nov/2010 16:20:42][2996162560] {ldapdb} 00FB281B-ABCF-4F44-91A1-44B40E26A84E: Looking up in cache...
[18/Nov/2010 16:20:42][2996162560] {ldapdb} 00FB281B-ABCF-4F44-91A1-44B40E26A84E: found in cache admin@2p2l.info
[18/Nov/2010 16:20:42][2986651648] {ldapdb} jeff@2p2l.info: Looking up in cache...
[18/Nov/2010 16:20:42][2986651648] {ldapdb} Acquired connection to the LDAP server: "MAIL.2P2L.DOC". Pool slot: 0; Thread ID: 2986651648
[18/Nov/2010 16:20:42][2986651648] {ldapdb} LDAP search request: filter="(&(objectclass=apple-user)(&(uid=jeff))(kerio-Mail-Active=*))", base DN="cn=users,dc=mail,dc=2p2l,dc=doc", scope=2. ThreadId: 2986651648
[18/Nov/2010 16:20:42][2986651648] {ldapdb} Performing LDAP search using no server side controls. Thread Id: 2986651648.
[18/Nov/2010 16:20:42][2986651648] {ldapdb} Result of last LDAP search is 0. Thread Id: 2986651648.
[18/Nov/2010 16:20:42][2986651648] {ldapdb} LDAP search result: (0) "Success". ThreadId: 2986651648
[18/Nov/2010 16:20:42][2986651648] {ldapdb} LDAP search request: filter="(memberUid=jeff)", base DN="cn=groups,dc=mail,dc=2p2l,dc=doc", scope=2. ThreadId: 2986651648
[18/Nov/2010 16:20:42][2986651648] {ldapdb} Performing LDAP search using no server side controls. Thread Id: 2986651648.
[18/Nov/2010 16:20:42][2986651648] {ldapdb} Result of last LDAP search is 0. Thread Id: 2986651648.
[18/Nov/2010 16:20:42][2986651648] {ldapdb} LDAP search result: (0) "Success". ThreadId: 2986651648
[18/Nov/2010 16:20:42][2986651648] {ldapdb} LDAP connection was returned back to pool slot: 0. ThreadId: 2986651648
[18/Nov/2010 16:20:42][2986651648] {auth} Krb5: entering auth (user: jeff@2P2L.INFO)
[18/Nov/2010 16:20:42][2986651648] {auth} Krb5: get init_credspassword(krbtgt/2P2L.INFO@2P2L.INFO, jeff@2P2L.INFO): Cannot resolve network address for KDC in requested realm, error code 0x96c73adc (-1765328164)

Xserve, Mac OS X (10.6.4), Kerio Connect 7.1.2

Posted on Nov 20, 2010 3:40 AM

Reply

Answer 1

Best reply

MrHoffman

Community+ 2024

Level 10

117,115 points

Nov 20, 2010 5:18 AM in response to adm2p2l

I'd tend to order that as "DNS, then OD, then Kerberbos." If DNS isn't correct, then the rest of the stack tends to go wrong.

Based on what you've posted, your DNS looks to be weird. You've got a mix of gandi.net and p2pl.info domains with public IP addresses (and mis-matched forward and reverse DNS), and there are also private IP addresses, which implies you might be seeking to establish a split-horizon DNS configuration.

[Here is some DNS reading|http://labs.hoffmanlabs.com/node/1436], and a link there to public-facing DNS, once the internal stuff is sorted.

You're also going to have issues with mail (if you're looking to run that) as your forward and reverse (public) DNS are mismatched; your forward DNS (domain to address) does not match the reverse (address to domain), which means that receiving mail servers will often consider the arriving traffic likely to be spam.

Reply

Answer 2

adm2p2l Author

Level 1

0 points

Nov 20, 2010 9:49 AM in response to MrHoffman

tnx a lot for the link and your opinion
yes im trying to run a mail server
gandi.net is the registrar where my domain test 2p2l.info is hosted
heres the dns log with the new zone 2p2l.info i created in admin server

zone 2p2l.info/IN/com.apple.ServerAdmin.DNS.public: NS '192.168.165.10.2p2l.info' has no address records (A or AAAA)
something is missing but i dont see

Reply

Answer 3

Nov 21, 2010 2:40 AM in response to adm2p2l

As Mr Hoffman suggest: get the DNS right first.

I think : "NS '192.168.165.10.2p2l.info" suggests that the "NS" record should say "mail.2p2l.info."

It seems the ISP has put the reverse name: "reverse.completel.net" for more than one public IP.

That might still work as the reverse name for your mailserver public IP name : mail.2p2l.info for most recipient mailservers but for some it might not.

Also you seem to have also a different/second internal domain name:

"base DN="cn=users,dc=mail,dc=2p2l,dc=doc" => the kerberos realm is MAIL.2P2L.DOC ?

I guess you can have an alias domainname "2p2l.info" for "2p2l.doc" (?) in Kerio but the Kerio "addressbook" will be populated with <user/group>@2p2l.doc "records"?

Did you set email address in the OD "info" tab on user records?

And what name will the Kerio server present "to the world" for itself?

This mail/OD server use only a private IP on your LAN and use only private IP DNS?

Also if running Kerio on a OD master/replica Kerio LDAP and/or LDAPS services will "overlap" with OD ones if you don't change their portnumbers (or perhaps use OD LDAP at TCP 389 internally and Kerio LDAPS at TCP 636 for public use).

HTH

Reply

Answer 4

adm2p2l Author

Level 1

0 points

Nov 21, 2010 6:33 AM in response to Leif Carlsson

yep 'NS' record should say mail.2p2l.info
As Mr Hoff suggest, i cleaned out all and tried with 2p2l.info in DNS server
but you r right, my ISP has put the reverse name for more than one public IP
the main IP is 83.145.69.170 and we have 213.30.177.24/29 i think..anyway they are using NAT to translate from the 6 block addresses to the main. why it might not work with mail server ? it worx with ftp server in 213.30.177.29
My Kerberos realm is now MAIL.2P2L.INFO, the alias domainname in Kerio has been deleted, email addresses have been set in OD 'info' tab
what do you mean with 'for itself' ? the internet kerio hostname is mail.2p2l.info
2p2l.info is now a domain test for this server and hosted by Gandi.net
the mail/OD server use only a private IP on the LAN and private IP DNS too, just ISP DNS in Settings > Forward
i'd prefer to avoid a split-horizon DNS configuration, my DNS server is not authoritative for the zone anyway, even for the main we r using today
the LDAP Kerio port is 9009 but how to use it with another portnumber ? which settings do i need to change i mean ?
like yu see this is my first mail server config and have til January the first to set it up 😉
have a Sonicwall NSA 2400 behind the ISP router
Regards

Jeff

Reply

Answer 5

Nov 21, 2010 7:47 AM in response to adm2p2l

83.145.69.170 and 213.30.177.24/29 are both public addresses; NAT would be unexpected.

Reply

Answer 6

adm2p2l Author

Level 1

0 points

Nov 21, 2010 9:24 AM in response to MrHoffman

they are working in that way
what are you suggesting ?
tia

Reply

Answer 7

Nov 21, 2010 9:38 AM in response to adm2p2l

I'd expect a public DNS entry to resolve directly to a public IP address, and for NAT to be between a public IP address and a private IP address. Paths between public IP addresses tends to be via IP routing, and not NAT.

The use of NAT is unexpected and (among public IP addresses) rather unusual. Encountering an unusual network configurations lead me to wonder what the particular rationale might be, and what else within the network configuration might be unexpected.

Reply

Answer 8

adm2p2l Author

Level 1

0 points

Nov 23, 2010 9:58 PM in response to MrHoffman

tnx for all
be back soon 😉
REGARDS

Reply

Answer 9

adm2p2l Author

Level 1

0 points

Nov 24, 2010 6:48 AM in response to adm2p2l

[24/Nov/2010 14:47:39][2984005632] {ldapdb} jeff@2p2l.info: Looking up in cache...
[24/Nov/2010 14:47:39][2984005632] {ldapdb} Acquired connection to the LDAP server: "MAIL.2P2L.INFO". Pool slot: 0; Thread ID: 2984005632
[24/Nov/2010 14:47:39][2984005632] {ldapdb} LDAP search request: filter="(&(objectclass=apple-user)(&(uid=jeff))(kerio-Mail-Active=*))", base DN="cn=users,dc=mail,dc=2p2l,dc=info", scope=2. ThreadId: 2984005632
[24/Nov/2010 14:47:39][2984005632] {ldapdb} Performing LDAP search using no server side controls. Thread Id: 2984005632.
[24/Nov/2010 14:47:39][2984005632] {ldapdb} Result of last LDAP search is 0. Thread Id: 2984005632.
[24/Nov/2010 14:47:39][2984005632] {ldapdb} LDAP search result: (0) "Success". ThreadId: 2984005632
[24/Nov/2010 14:47:39][2984005632] {ldapdb} LDAP search request: filter="(memberUid=jeff)", base DN="cn=groups,dc=mail,dc=2p2l,dc=info", scope=2. ThreadId: 2984005632
[24/Nov/2010 14:47:39][2984005632] {ldapdb} Performing LDAP search using no server side controls. Thread Id: 2984005632.
[24/Nov/2010 14:47:39][2984005632] {ldapdb} Result of last LDAP search is 0. Thread Id: 2984005632.
[24/Nov/2010 14:47:39][2984005632] {ldapdb} LDAP search result: (0) "Success". ThreadId: 2984005632
[24/Nov/2010 14:47:39][2984005632] {ldapdb} LDAP connection was returned back to pool slot: 0. ThreadId: 2984005632
[24/Nov/2010 14:47:39][2984005632] {auth} Krb5: entering auth (user: jeff@2P2L.INFO)
[24/Nov/2010 14:47:39][2984005632] {auth} Krb5: user jeff@2P2L.INFO authenticated.

[24/Nov/2010 14:47:49][2985062400] {dns} Searching cache for MX records for host 2p2l.com
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sending email to SMTP server relay1.completel.fr, delivering mail from <jeff@2p2l.info>
[24/Nov/2010 14:47:49][2985062400] {dns} Searching cache for A records for host relay1.completel.fr
[24/Nov/2010 14:47:49][2985062400] {smtpc} Connecting to 213.245.2.2 (relay1.completel.fr)...
[24/Nov/2010 14:47:49][2985062400] {smtpc} Connected to relay1.completel.fr
[24/Nov/2010 14:47:49][2985062400] {smtpc} Received greeting: 220 mx8.cptl.sdv.fr ESMTP Postfix
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sending EHLO
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sent MAIL command
[24/Nov/2010 14:47:49][2985062400] {smtpc} Got reply: 250 2.1.0 Ok
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sent RCPT TO: <jeff@2p2l.com>
[24/Nov/2010 14:47:49][2985062400] {smtpc} Got reply: 550 5.1.8 <jeff@2p2l.info>: Sender address rejected: Domain not found
[24/Nov/2010 14:47:49][2985062400] {smtpc} Recipient <jeff@2p2l.com> not accepted: 550 5.1.8 <jeff@2p2l.info>: Sender address rejected: Domain not found
[24/Nov/2010 14:47:49][2985062400] {smtpc} No recipient succeeded
[24/Nov/2010 14:47:49][2985062400] {smtpc} QUIT sent, got reply: 221 2.0.0 Bye
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sending email to SMTP server relay2.completel.fr, delivering mail from <jeff@2p2l.info>
[24/Nov/2010 14:47:49][2985062400] {dns} Searching cache for A records for host relay2.completel.fr
[24/Nov/2010 14:47:49][2985062400] {smtpc} Connecting to 213.245.2.2 (relay2.completel.fr)...
[24/Nov/2010 14:47:49][2985062400] {smtpc} Connected to relay2.completel.fr
[24/Nov/2010 14:47:49][2985062400] {smtpc} Received greeting: 220 mx7.cptl.sdv.fr ESMTP Postfix
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sending EHLO
[24/Nov/2010 14:47:49][2985062400] {smtpc} Sent MAIL command
[24/Nov/2010 14:47:49][2985062400] {smtpc} Got reply: 250 2.1.0 Ok
[24/Nov/2010 14:47:49][2985062400] {smtpc} No recipient succeeded
[24/Nov/2010 14:47:49][2985062400] {smtpc} QUIT sent, got reply: 221 2.0.0 Bye

whats just missing ?
tia

Jeff

Reply

Answer 10

Nov 26, 2010 11:20 AM in response to adm2p2l

Where'd that "2p2l.com" domain come from with the receipt, and all the mismatched clara.net and competel.fr and related baggage? That response got as far as the relay2.completel.fr mail server, and got rejected. Looks like a similar mail configuration issue (possibly a virtual domain set-up error?), but over on that mail server.

Reply

Answer 11

adm2p2l Author

Level 1

0 points

Nov 26, 2010 3:01 PM in response to MrHoffman

i had to modify DNS reverse at my ISP.
it worx now !!!!
tnx again
Jeff

Reply