SASL authentication

Markus Moeller huaraz at moeller.plus.com
Wed Mar 25 17:43:18 EDT 2009 

"Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote in message 
news:D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0 at SGPAPHQ-EXSCC01.dc01.fujixerox.net...
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Markus Moeller
>> Sent: Wednesday, March 25, 2009 7:53 AM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> You need to do nslookup sesswin2003.sesswin2003.com or
>> nslookup sesswin2003.com  or add a search path to your
>> resolv.conf file (e.g. search
>> sesswin2003.com)
>
> Yesterday, my resolve.conf was like this:
> =================================
> search sgp.fujixerox.com sesswin2003.com
> nameserver 13.198.8.83
> nameserver 13.198.96.10
> nameserver 13.198.98.35
> =================================
> To my dismay, it didn't work. The hostname "sesswin2003" still couldn't be 
> resolved to its IP address.
>
> Today, with the help of our local SA, the file is changed to:
> =================================
> search sgp.fujixerox.com sesswin2003.com
> nameserver 13.198.98.35
> nameserver 13.198.96.10
> =================================
> It seems the order of nameserver list is important. Quite strange. Or it 
> may be the problem of some DNS server. Because if I put the nameserver 
> 13.198.96.10 in front of 13.198.98.35, it still doesn't work. By right, if 
> a hostname can't be located by the first nameserver, it should continue to 
> look for the hostname in the second nameserver, right?
>

No it wouldn't. If the first server says unknown domain it is a valid 
reponse and the next server wouldn't be queried. Only if the first server 
does not reply the second will be used (afaik)

> Anyway, now nslookup works perfectly:
> =================================
> qxu at durian(pts/1):/etc[17]$ nslookup sesswin2003
> Server:         13.198.98.35
> Address:        13.198.98.35#53
>
> Name:   sesswin2003.sesswin2003.com
> Address: 13.198.98.35
>
> qxu at durian(pts/1):/etc[18]$ nslookup sesswin2003.sesswin2003.com
> Server:         13.198.98.35
> Address:        13.198.98.35#53
>
> Name:   sesswin2003.sesswin2003.com
> Address: 13.198.98.35
> =================================
> For me, it is quite promising.
>
> Then I did what Michael and Doug told me, i.e. kinit, klist and 
> ldapsearch:
> =================================
> qxu at durian(pts/1):/etc[19]$ kinit qxu at SESSWIN2003.COM
> Password for qxu at SESSWIN2003.COM:
>
> qxu at durian(pts/1):/etc[20]$ klist
> Ticket cache: FILE:/tmp/krb5cc_20153
> Default principal: qxu at SESSWIN2003.COM
>
> Valid starting     Expires            Service principal
> 03/25/09 17:21:13  03/26/09 03:21:11 
> krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
>        renew until 03/26/09 17:21:13
>
>
> Kerberos 4 ticket cache: /tmp/tkt20153
> klist: You have no tickets cached
>
> qxu at durian(pts/1):/etc[21]$ ldapsearch -Y GSSAPI -H 
> 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s 
> sub -LLL 'cn=xuan' mail
> SASL/GSSAPI authentication started
> SASL username: qxu at SESSWIN2003.COM
> SASL SSF: 56
> SASL installing layers
> dn: CN=xuan,CN=Users,DC=sesswin2003,DC=com
> mail: Xuan.Shangguan at fujixerox.com
>
> # 
> refldap://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003,D
> C=com
>
> # 
> refldap://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003,D
> C=com
>
> # refldap://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com
> =================================
> It works perfectly. Next I will use this as a bench against my own coding.
>
> Thanks to all,
> Xu Qiang
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list