FQDN needed by sasl_gss_client_step or gss_import_name?

Steve Langasek vorlon at dodds.net
Thu May 16 22:12:47 EDT 2002


On Thu, May 16, 2002 at 04:40:47PM -0700, Dave Snoopy wrote:
> I am using OpenLDAP's ldapsearch tool, in conjunction
> with Cyrus SASL and MIT Kerberos 5. The tool allows me
> to do LDAP queries against a Microsoft PDC, assuming
> that I have first obtained the ticket from the
> Microsoft KDC. It works great, except for one
> problem...

> My DNS server has two entries for my PDC/KDC. The two
> entries are:
>    gem-pdc.gem.company.com  -> 192.168.10.87
>    gem-pdc  -> 192.168.10.87

> A reverse DNS lookup on the IP will return either of
> the host names.

> I guess that either SASL or Kerberos does a reverse
> DNS lookup based on the IP. When the non-FQDN host
> name is returned, my LDAP/SASL/Kerberos gives the
> following error:

>  added plugin '/usr/lib/sasl/libgssapiv2.so'
>  mech list from server is GSSAPI GSS-SPNEGO
>  Considering mech GSSAPI
>  Best mech so far: GSSAPI
>  Considering mech GSS-SPNEGO
>  sasl_gss_client_step: AUTHNEG
>  Trying to get userid
>  SASL/GSSAPI authentication started
>  sasl_gss_client_step: AUTHNEG
>  Trying to get userid
>  Userid: -C
>  name: ldap at gem-pdc
>  ldap_sasl_interactive_bind_s: Local error

> I traced down the error to the Kerberos function
> "gss_import_name", which is being called from the SASL
> function sasl_gss_client_step. This problem only
> happens when the non FQDN kdc name is returned from
> DNS. Is this a Kerberos or SASL problem? Does anyone
> know how to resolve it (without changing my DNS)?

Why do you have two PTR records for the same IP address, and why is one of 
them not a valid FQDN?

How else would you expect GSSAPI to determine the canonical name for the
machine?

By and large, storing a non-FQDN as a PTR record is broken.

Steve langasek
postmodern programmer



More information about the Kerberos mailing list