FQDN needed by sasl_gss_client_step or gss_import_name?

Dave Snoopy kingsnoopy7 at yahoo.com
Thu May 16 19:40:47 EDT 2002


I am using OpenLDAP's ldapsearch tool, in conjunction
with Cyrus SASL and MIT Kerberos 5. The tool allows me
to do LDAP queries against a Microsoft PDC, assuming
that I have first obtained the ticket from the
Microsoft KDC. It works great, except for one
problem...

My DNS server has two entries for my PDC/KDC. The two
entries are:
   gem-pdc.gem.company.com  -> 192.168.10.87
   gem-pdc  -> 192.168.10.87

A reverse DNS lookup on the IP will return either of
the host names.

I guess that either SASL or Kerberos does a reverse
DNS lookup based on the IP. When the non-FQDN host
name is returned, my LDAP/SASL/Kerberos gives the
following error:

 added plugin '/usr/lib/sasl/libgssapiv2.so'
 mech list from server is GSSAPI GSS-SPNEGO
 Considering mech GSSAPI
 Best mech so far: GSSAPI
 Considering mech GSS-SPNEGO
 sasl_gss_client_step: AUTHNEG
 Trying to get userid
 SASL/GSSAPI authentication started
 sasl_gss_client_step: AUTHNEG
 Trying to get userid
 Userid: -C
 name: ldap at gem-pdc
 ldap_sasl_interactive_bind_s: Local error

I traced down the error to the Kerberos function
"gss_import_name", which is being called from the SASL
function sasl_gss_client_step. This problem only
happens when the non FQDN kdc name is returned from
DNS. Is this a Kerberos or SASL problem? Does anyone
know how to resolve it (without changing my DNS)?

Thanks,
Dave


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com



More information about the Kerberos mailing list