Strange LDAP and/or Kerberos problem

Question

Strange LDAP and/or Kerberos problem

I'm on the quest to create a shared address book on my Tiger Server(DNS master, OD master, KDC). Currently I have set it up so that clients can search the OD users in their local Address Book.app and get info about other users. Next step for me would be to create a group of contacts on the server, not OD users, just contacts, using the command line or maybe the nice little app AddressBookXLDAP. Here is where the trouble starts. When I try to do an ldapsearch or ldapadd command I get an error:
ldapsasl_interactive_binds: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
The KDC log says:
my.correct.fqdn krb5kdc[297](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: UNKNOWN_SERVER: authtime 1174232886, me@MY.CORRECT.FQDN. for krbtgt/CORRECT.FQDN.@MY.CORRECT.FQDN., Server not found in Kerberos database

This situation repeats no matter if I try from the server itself (ssh) or from my local machine. The only change is the IP address. DNS should be ok.. both forward and reverse, althogh 'dig IP' fails. 'dig -x IP' works which keeps me happy. Any help will be greatly appreciated.

Xserve G4 Mac OS X (10.4.8)

Posted on Mar 18, 2007 9:44 AM

Reply

Answer 1

Mar 19, 2007 11:48 AM in response to Ivailo Djilianov

Hi Ivailo

This situation repeats no matter if I try from the
server itself (ssh) or from my local machine. The
only change is the IP address. DNS should be ok..
both forward and reverse, althogh 'dig IP' fails.
'dig -x IP' works which keeps me happy. Any help will
be greatly appreciated.

If DNS is configured correctly then dig should never fail. What happens when your run host? For example launch terminal on your server and key in:

host [your server fqdn]
[your server fqdn] has address [your server IP address]
host [your server IP address]
[your server IP address].in-addr.arpa domain name pointer host [your server IP address].in-addr.[domain name]

The brackets are intended as a guide. Make sure the Server’s own IP address is in the DNS server field in the Network Preference Pane of your Server.

If you are not seeing something like the above especially the in=addr.arpa domain name pointer bit, which maps the fqdn to the IP address of your Server, then DNS is not working properly. This would explain the log entry stating that the ‘Server is not found in Kerberos database’.

When promoting from Standalone to Open Directory Master you will be prompted to create the Directory Administrator account. Along with the account – and if DNS is configured and working correctly – you should see the Kerberos Realm field already filled in with the fqdn of your server in capitalized form. The search base should also be filled in for you. If you only see one of these and have to fill in some of the details by hand then you will be experiencing login problems sooner rather than later.

I know you know but I’ll mention it anyway, you should not be configuring DNS Service using the .local name.

Hope this helps.

Reply

Answer 2

Mar 19, 2007 11:43 PM in response to Antonio Rocco

Antonio, Thanks for your input.
host FQDN returns correct ip; host ip returns:
[reverse-ip].in-addr.arpa domain name pointer FQDN
It is a bit different than what you suggest, but my guess is that it is still ok. This host is master for 2 zones(alive and working), with one more comming soon. Again, I have no trouble with clients authenticationg. It is only when I do ldapsearch or ldapadd that I see the strange UNKNOWN_SERVER errors. 😟

Reply

Answer 3

Mar 20, 2007 1:06 AM in response to Ivailo Djilianov

I'm not sure if it is relevant, but I get the exact same error when trying to ssh from my local machine using SSO:
kinit user@server
ssh server.fqdn
debug1: Connection established.
...
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5
debug1: Miscellaneous failure
Server not found in Kerberos database

Reply

Answer 4

Mar 20, 2007 1:44 AM in response to Ivailo Djilianov

Here is where
the trouble starts. When I try to do an ldapsearch or
ldapadd command I get an error:
ldapsasl_interactive_binds: Local error (-2)
additional info: SASL(-1): generic failure:
GSSAPI Error: Miscellaneous failure (Server not
found in Kerberos database)

It is trying to authenticate via the strongest support auth mechanism server and client support which is kerberos. From the error code it might be that your server is partially missing some kerberos auth pieces. You could investigate this area.

Or you could force the ldapadd/ldapmodify commands to use another SASL auth method instead of kerb via the following cli switches:
<pre class=command>-U user -W -Y CRAM-MD5</pre>
-W := prompt for password
-Y := requested SASL auth method
-U := user name

HTH

-Ralph

Reply

Answer 5

Mar 20, 2007 4:10 AM in response to slowfranklin

Thanks, slowfranklin!
Works perfectly!

ldapadd or ldapsearch -U username -W -Y CRAM-MD5 allows me to modify or browse the directory.
I'm now moving to solving the issues with ABXLDAP which are something completely different.

Reply

Answer 6

Mar 20, 2007 4:22 AM in response to Ivailo Djilianov

Bulgaria - 10 points! ;o)

-Ralph

Reply

Answer 7

Mar 20, 2007 8:13 AM in response to slowfranklin

Hi slowfranklin

****!! You beat me to the 10 points! I was going to suggest a similar thing but you got there first. . . well done!

Reply

Answer 8

Mar 20, 2007 8:34 AM in response to Antonio Rocco

Guys, up until now I've only found one working solution for my shared address book and that is to import an .ldif file from the CLI. ABXLDAP is not working which is bad, because I was willing to give the author 15 pounds for the shareware site license, set it up and forget about it. If you have a better idea, please suggest. I can even post another thread so you can get...another 10 points [grin] and a beer, if you come to Bulgaria!

Reply