RE: SASL authentication
- From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@xxxxxxxxxxxxx>
- Date: Tue, 24 Mar 2009 17:21:44 +0800
-----Original Message-----
From: kerberos-bounces@xxxxxxx
[mailto:kerberos-bounces@xxxxxxx] On Behalf Of Michael Str?der
Sent: Tuesday, March 24, 2009 3:22 AM
To: kerberos@xxxxxxx
Subject: Re: SASL authentication
Use nslookup.exe on host name and IP address. They must match.
Thanks, Michael! Using nslookup in the client Linux box, I found it is the reason why there is no outward LDAP traffic. The LDAP server (AD in Windows 2003 Server), as I said, is the primary domain controller of its own. It is also the DNS server in its own domain. I didn't recognize that this DNS server is not in the nameserver list of the client machine. No wonder it can not resolve the name. Now it is added into the file "/etc/resolv.conf":
==========================================================
search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain name of the AD server */
nameserver 13.198.8.83
nameserver 13.198.96.10
nameserver 13.198.98.35 /* This is the IP Address of the domain controller with its FQDN as sesswin2003.sesswin2003.com */
==========================================================
But strangely, with this file modified, "nslookup sesswin2003" still fails. To my surprise, even in the AD itself, this command fails. So I suspect DNS in the AD is not running properly. Could you tell me where to look at in the AD to fix the DNS issue?
[libdefaults]
default_realm = durian.fujixerox.com
[..]
In this configuration file, "durian" is the hostname of the client
machine. Is there anything wrong with it?
I'm confused. Why do you put in durian.fujixerox.com here.
default_realm MUST point to a Kerberos realm. In a MS AD
environment this is simply the upper-case DNS domain name of
the AD domain.
durian is the hostname of the client Linux box. fujixerox.com is the domain name in which the client lies.
Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of the client, not a domain name.
But since it has nothing to do with the LDAP traffic, I don't want to change it now.
[realms]^^^^^^^^^^^^
SESSWIN2003.COM = {
kdc = 13.198.98.35:88
Is that the IP address of your AD domain controller? Is
SESSWIN2003.COM your AD domain?
Yes, this is the IP address of the AD domain controller. And Yes again, SESSWIN2003.COM is my AD domain.
durian.fujixerox.com = {
kdc = kerberos.durian.fujixerox.com:88
admin_server = kerberos.durian.fujixerox.com:749 }
Likely you should remove that.
You should try to find a working setup with AD using your
favourite search engine. Please read a little bit more what
the different parameters really mean.
Thanks a lot,
Xu Qiang
.
- References:
- SASL authentication
- From: Xu, Qiang (FXSGSC)
- Re: SASL authentication
- From: Michael Ströder
- RE: SASL authentication
- From: Xu, Qiang (FXSGSC)
- Re: SASL authentication
- From: Michael Ströder
- RE: SASL authentication
- From: Xu, Qiang (FXSGSC)
- Re: SASL authentication
- From: Michael Ströder
- Re: SASL authentication
- From: Douglas E. Engert
- Re: SASL authentication
- From: Michael Ströder
- RE: SASL authentication
- From: Xu, Qiang (FXSGSC)
- Re: SASL authentication
- From: Michael Ströder
- SASL authentication
- Prev by Date: RE: SASL authentication
- Next by Date: Obtaining Service Ticket with TGT only (via shell commands)
- Previous by thread: Re: SASL authentication
- Next by thread: Re: SASL authentication
- Index(es):
Relevant Pages
|
