I try to use an ldap query with SASL/GSSAPI against AD where the AD hostname
is a list of IP Addresses.

-bash-3.00$ /usr/sbin/nslookup rr.windows2003.home
Server: 192.168.1.5
Address: 192.168.1.5#53

Name: rr.windows2003.home
Address: 192.168.1.50
Name: rr.windows2003.home
Address: 192.168.1.5

On OpenSolaris and Solaris 10 it doesn't work with the native ldapsearch. A
trace shows that the client tries to get a TGS for ldap/rr.windows2003.home.

-bash-3.00$ ldapsearch -h rr.windows2003.home -omech=GSSAPI -oauthzid="" -s
sub -b DC=WINDOWS2003,DC=HOME "samaccountname=markus"
ldap_sasl_interactive_bind_s: Local error

On OpenSuse with Openldap I get the below and the client requests a TGS for
ldap/w2k3.windows2003.home which is the reverse lookup of both 192.168.1.5
and 192.168.1.50 ( for testing only). So it is a conicalization issue. Is
there a switch to enable canonicalization in GSSAPI on Solaris 10 and
OpenSolaris ??

ldapsearch -h rr.windows2003.home -Y GSSAPI -s sub -b
DC=WINDOWS2003,DC=HOME "samaccountname=markus"
SASL/GSSAPI authentication started
SASL username: markus@WINDOWS2003.HOME
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: samaccountname=markus
# requesting: ALL
#

# Markus Moeller, Users, windows2003.home
dn: CN=Markus Moeller,CN=Users,DC=windows2003,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Markus Moeller
sn: Moeller
givenName: Markus
distinguishedName: CN=Markus Moeller,CN=Users,DC=windows2003,DC=home
instanceType: 4
whenCreated: 20060914233331.0Z
whenChanged: 20070330221032.0Z
displayName: Markus Moeller
uSNCreated: 16390
info: CN=WINXP,CN=Computers,DC=windows2003,DC=home
uSNChanged: 98532
name: Markus Moeller
objectGUID:: +JbAPYdvKEC+DSQOI7/ryA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 128204504634531250
lastLogoff: 0
lastLogon: 128204509603750000
pwdLastSet: 128027504120937500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAZf8Zmz+anycshW81UgQAAA==
accountExpires: 9223372036854775807
logonCount: 79
sAMAccountName: markus
sAMAccountType: 805306368
userPrincipalName: huaraz@moeller.plus.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=windows200 3,DC=home
dSCorePropagationData: 20070331192913.0Z
dSCorePropagationData: 20070331192745.0Z
dSCorePropagationData: 20061008202321.0Z
dSCorePropagationData: 20061008202049.0Z
dSCorePropagationData: 16010714223649.0Z
lastLogonTimestamp: 128197662324531250
mail: huaraz@moeller.plus.com

# search reference
ref:
ldap://ForestDnsZones.windows2003.home/DC=ForestDnsZones,DC=windows2003,D
C=home

# search reference
ref:
ldap://DomainDnsZones.windows2003.home/DC=DomainDnsZones,DC=windows2003,D
C=home

# search reference
ref: ldap://windows2003.home/CN=Configuration,DC=windows2003,DC=home

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3


Thank you
Markus



________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos