SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at
Tue Mar 24 05:21:44 EDT 2009

> -----Original Message-----
> From: kerberos-bounces at 
> [mailto:kerberos-bounces at] On Behalf Of Michael Str?der
> Sent: Tuesday, March 24, 2009 3:22 AM
> To: kerberos at
> Subject: Re: SASL authentication
> Use nslookup.exe on host name and IP address. They must match.

Thanks, Michael! Using nslookup in the client Linux box, I found it is the reason why there is no outward LDAP traffic. The LDAP server (AD in Windows 2003 Server), as I said, is the primary domain controller of its own. It is also the DNS server in its own domain. I didn't recognize that this DNS server is not in the nameserver list of the client machine. No wonder it can not resolve the name. Now it is added into the file "/etc/resolv.conf":
search /* is the domain name of the AD server */
nameserver /* This is the IP Address of the domain controller with its FQDN as */
But strangely, with this file modified, "nslookup sesswin2003" still fails. To my surprise, even in the AD itself, this command fails. So I suspect DNS in the AD is not running properly. Could you tell me where to look at in the AD to fix the DNS issue?
> > [libdefaults]
> >  default_realm =
> > [..]
> > In this configuration file, "durian" is the hostname of the client 
> > machine. Is there anything wrong with it?
> I'm confused. Why do you put in here.
> default_realm MUST point to a Kerberos realm. In a MS AD 
> environment this is simply the upper-case DNS domain name of 
> the AD domain.

durian is the hostname of the client Linux box. is the domain name in which the client lies.
Yes, I also feel this is strange setting. is FQDN of the client, not a domain name.

But since it has nothing to do with the LDAP traffic, I don't want to change it now.
> > [realms]
> >  SESSWIN2003.COM = {
> >   kdc =
>           ^^^^^^^^^^^^
> Is that the IP address of your AD domain controller? Is 
> SESSWIN2003.COM your AD domain?

Yes, this is the IP address of the AD domain controller. And Yes again, SESSWIN2003.COM is my AD domain.
> > = {
> >   kdc =
> >   admin_server =  }
> Likely you should remove that.
> You should try to find a working setup with AD using your 
> favourite search engine. Please read a little bit more what 
> the different parameters really mean.

Thanks a lot,
Xu Qiang

More information about the Kerberos mailing list