I try to use an ldap query with SASL/GSSAPI against AD where the AD hostname is a list of IP Addresses.
-bash-3.00$ /usr/sbin/nslookup rr.windows2003.home Server: 192.168.1.5 Address: 192.168.1.5#53 Name: rr.windows2003.home Address: 192.168.1.50 Name: rr.windows2003.home Address: 192.168.1.5 On OpenSolaris and Solaris 10 it doesn't work with the native ldapsearch. A trace shows that the client tries to get a TGS for ldap/rr.windows2003.home. -bash-3.00$ ldapsearch -h rr.windows2003.home -omech=GSSAPI -oauthzid="" -s sub -b DC=WINDOWS2003,DC=HOME "samaccountname=markus" ldap_sasl_interactive_bind_s: Local error On OpenSuse with Openldap I get the below and the client requests a TGS for ldap/w2k3.windows2003.home which is the reverse lookup of both 192.168.1.5 and 192.168.1.50 ( for testing only). So it is a conicalization issue. Is there a switch to enable canonicalization in GSSAPI on Solaris 10 and OpenSolaris ?? ldapsearch -h rr.windows2003.home -Y GSSAPI -s sub -b DC=WINDOWS2003,DC=HOME "samaccountname=markus" SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 0 # extended LDIF # # LDAPv3 # base <DC=WINDOWS2003,DC=HOME> with scope subtree # filter: samaccountname=markus # requesting: ALL # # Markus Moeller, Users, windows2003.home dn: CN=Markus Moeller,CN=Users,DC=windows2003,DC=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Markus Moeller sn: Moeller givenName: Markus distinguishedName: CN=Markus Moeller,CN=Users,DC=windows2003,DC=home instanceType: 4 whenCreated: 20060914233331.0Z whenChanged: 20070330221032.0Z displayName: Markus Moeller uSNCreated: 16390 info: CN=WINXP,CN=Computers,DC=windows2003,DC=home uSNChanged: 98532 name: Markus Moeller objectGUID:: +JbAPYdvKEC+DSQOI7/ryA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 128204504634531250 lastLogoff: 0 lastLogon: 128204509603750000 pwdLastSet: 128027504120937500 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAZf8Zmz+anycshW81UgQAAA== accountExpires: 9223372036854775807 logonCount: 79 sAMAccountName: markus sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=windows2003,DC=home dSCorePropagationData: 20070331192913.0Z dSCorePropagationData: 20070331192745.0Z dSCorePropagationData: 20061008202321.0Z dSCorePropagationData: 20061008202049.0Z dSCorePropagationData: 16010714223649.0Z lastLogonTimestamp: 128197662324531250 mail: [EMAIL PROTECTED] # search reference ref: ldap://ForestDnsZones.windows2003.home/DC=ForestDnsZones,DC=windows2003,D C=home # search reference ref: ldap://DomainDnsZones.windows2003.home/DC=DomainDnsZones,DC=windows2003,D C=home # search reference ref: ldap://windows2003.home/CN=Configuration,DC=windows2003,DC=home # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 Thank you Markus ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
