SASL authentication

Tue Mar 24 05:21:44 EDT 2009

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 24, 2009 3:22 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Use nslookup.exe on host name and IP address. They must match.

Thanks, Michael! Using nslookup in the client Linux box, I found it is the reason why there is no outward LDAP traffic. The LDAP server (AD in Windows 2003 Server), as I said, is the primary domain controller of its own. It is also the DNS server in its own domain. I didn't recognize that this DNS server is not in the nameserver list of the client machine. No wonder it can not resolve the name. Now it is added into the file "/etc/resolv.conf":
==========================================================
search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain name of the AD server */
nameserver 13.198.8.83
nameserver 13.198.96.10
nameserver 13.198.98.35 /* This is the IP Address of the domain controller with its FQDN as sesswin2003.sesswin2003.com */
==========================================================
But strangely, with this file modified, "nslookup sesswin2003" still fails. To my surprise, even in the AD itself, this command fails. So I suspect DNS in the AD is not running properly. Could you tell me where to look at in the AD to fix the DNS issue?

> > [libdefaults]
> >  default_realm = durian.fujixerox.com
> > [..]
> > In this configuration file, "durian" is the hostname of the client 
> > machine. Is there anything wrong with it?
> 
> I'm confused. Why do you put in durian.fujixerox.com here.
> 
> default_realm MUST point to a Kerberos realm. In a MS AD 
> environment this is simply the upper-case DNS domain name of 
> the AD domain.

durian is the hostname of the client Linux box. fujixerox.com is the domain name in which the client lies.
Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of the client, not a domain name.

But since it has nothing to do with the LDAP traffic, I don't want to change it now.

> > [realms]
> >  SESSWIN2003.COM = {
> >   kdc = 13.198.98.35:88
>           ^^^^^^^^^^^^
> Is that the IP address of your AD domain controller? Is 
> SESSWIN2003.COM your AD domain?

Yes, this is the IP address of the AD domain controller. And Yes again, SESSWIN2003.COM is my AD domain.

> >  durian.fujixerox.com = {
> >   kdc = kerberos.durian.fujixerox.com:88
> >   admin_server = kerberos.durian.fujixerox.com:749  }
> 
> Likely you should remove that.
> 
> You should try to find a working setup with AD using your 
> favourite search engine. Please read a little bit more what 
> the different parameters really mean.

Thanks a lot,
Xu Qiang