SASL authentication

Markus Moeller huaraz at moeller.plus.com
Tue Mar 24 19:52:44 EDT 2009 

"Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote in message 
news:D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83 at SGPAPHQ-EXSCC01.dc01.fujixerox.net...
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
>> Sent: Tuesday, March 24, 2009 3:22 AM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Use nslookup.exe on host name and IP address. They must match.
>
> Thanks, Michael! Using nslookup in the client Linux box, I found it is the 
> reason why there is no outward LDAP traffic. The LDAP server (AD in 
> Windows 2003 Server), as I said, is the primary domain controller of its 
> own. It is also the DNS server in its own domain. I didn't recognize that 
> this DNS server is not in the nameserver list of the client machine. No 
> wonder it can not resolve the name. Now it is added into the file 
> "/etc/resolv.conf":
> ==========================================================
> search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain 
> name of the AD server */
> nameserver 13.198.8.83
> nameserver 13.198.96.10
> nameserver 13.198.98.35 /* This is the IP Address of the domain controller 
> with its FQDN as sesswin2003.sesswin2003.com */
> ==========================================================
> But strangely, with this file modified, "nslookup sesswin2003" still 
> fails. To my surprise, even in the AD itself, this command fails. So I 
> suspect DNS in the AD is not running properly. Could you tell me where to 
> look at in the AD to fix the DNS issue?


You need to do nslookup sesswin2003.sesswin2003.com or nslookup 
sesswin2003.com  or add a search path to your resolv.conf file (e.g. search 
sesswin2003.com)


>
>> > [libdefaults]
>> >  default_realm = durian.fujixerox.com
>> > [..]
>> > In this configuration file, "durian" is the hostname of the client
>> > machine. Is there anything wrong with it?
>>
>> I'm confused. Why do you put in durian.fujixerox.com here.
>>
>> default_realm MUST point to a Kerberos realm. In a MS AD
>> environment this is simply the upper-case DNS domain name of
>> the AD domain.
>
> durian is the hostname of the client Linux box. fujixerox.com is the 
> domain name in which the client lies.
> Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of 
> the client, not a domain name.
>
> But since it has nothing to do with the LDAP traffic, I don't want to 
> change it now.
>
>> > [realms]
>> >  SESSWIN2003.COM = {
>> >   kdc = 13.198.98.35:88
>>           ^^^^^^^^^^^^
>> Is that the IP address of your AD domain controller? Is
>> SESSWIN2003.COM your AD domain?
>
> Yes, this is the IP address of the AD domain controller. And Yes again, 
> SESSWIN2003.COM is my AD domain.
>
>> >  durian.fujixerox.com = {
>> >   kdc = kerberos.durian.fujixerox.com:88
>> >   admin_server = kerberos.durian.fujixerox.com:749  }
>>
>> Likely you should remove that.
>>
>> You should try to find a working setup with AD using your
>> favourite search engine. Please read a little bit more what
>> the different parameters really mean.
>
> Thanks a lot,
> Xu Qiang
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Markus

More information about the Kerberos mailing list