Problem of sasl binding
Xu, Qiang (FXSGSC)
Qiang.Xu at fujixerox.com
Thu Aug 12 04:13:30 EDT 2010
Hi, list:
Recently, I've come across a strange problem of sasl ldap binding failure. The trace is extracted here.
==================================
281 28.670586 30.144.56.26 30.37.110.32 DNS Standard query response A 30.130.51.201
282 28.672084 30.37.110.32 30.144.56.26 DNS Standard query A va10pwpads010.us.ad.wellpoint.com
283 28.690339 30.144.56.26 30.37.110.32 DNS Standard query response A 30.130.51.201
284 28.690515 30.37.110.32 30.130.51.201 TCP 45005 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=298479692 TSER=0 WS=5
285 28.714314 30.130.51.201 30.37.110.32 TCP ldap > 45005 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
286 28.714366 30.37.110.32 30.130.51.201 TCP 45005 > ldap [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=298479698 TSER=0
287 28.723715 30.37.110.32 30.144.56.26 DNS Standard query A va10pwpads010.us.ad.wellpoint.com
288 28.741909 30.144.56.26 30.37.110.32 DNS Standard query response A 30.130.51.201
289 28.743018 30.37.110.32 30.144.56.26 DNS Standard query PTR 201.51.130.30.in-addr.arpa
290 28.760696 30.144.56.26 30.37.110.32 DNS Standard query response PTR VA10PWPADS010.us.ad.wellpoint.com PTR us.ad.wellpoint.com
...
295 28.773815 30.37.110.32 30.37.205.29 KRB5 TGS-REQ
Kerberos TGS-REQ
KDC_REQ_BODY
Server Name (Service and Host): ldap/va10pwpads010.us.ad.wellpoint.com
Name-type: Service and Host (3)
Name: ldap
Name: va10pwpads010.us.ad.wellpoint.com
...
303 28.780063 30.37.205.29 30.37.110.32 KRB5 TGS-REP
Kerberos TGS-REP
Ticket
Server Name (Service and Host): ldap/va10pwpads010.us.ad.wellpoint.com
Name-type: Service and Host (3)
Name: ldap
Name: va10pwpads010.us.ad.wellpoint.com
...
313 28.805955 30.37.110.32 30.130.51.201 LDAP bindRequest(1) "<ROOT>" sasl
GSS-API Generic Security Service Application Program Interface
Kerberos AP-REQ
Ticket
Server Name (Service and Host): ldap/va10pwpads010.us.ad.wellpoint.com
Name-type: Service and Host (3)
Name: ldap
Name: va10pwpads010.us.ad.wellpoint.com
314 28.830509 30.130.51.201 30.37.110.32 TCP ldap > 45005 [ACK] Seq=1 Ack=2255 Win=65535 Len=0 TSV=3099745 TSER=298479692
315 28.830972 30.130.51.201 30.37.110.32 LDAP bindResponse(1) saslBindInProgress
316 28.830975 30.37.110.32 30.130.51.201 TCP 45005 > ldap [ACK] Seq=2255 Ack=161 Win=6912 Len=0 TSV=298479727 TSER=3099745
317 28.831812 30.37.110.32 30.144.56.26 DNS Standard query A va10pwpads010.us.ad.wellpoint.com
318 28.849904 30.144.56.26 30.37.110.32 DNS Standard query response A 30.130.51.201
319 28.850224 30.37.110.32 30.144.56.26 DNS Standard query PTR 201.51.130.30.in-addr.arpa
320 28.868741 30.144.56.26 30.37.110.32 DNS Standard query response PTR us.ad.wellpoint.com PTR VA10PWPADS010.us.ad.wellpoint.com
==================================
Just can't understand how come there are another series of DNS queries when sasl binding is not finished.
A strange thing in the trace is that the reverse DNS query for the LDAP server 30.130.51.201 get back two names, one is "VA10PWPADS010.us.ad.wellpoint.com", and the other is "us.ad.wellpoint.com". Is this the possible reason that fails sasl ldap binding?
Most binding failure comes with some error like KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, but no such error is screamed during this binding, and yet it fails. That's why I am so confused.
Looking forward to help,
Xu Qiang
More information about the Kerberos
mailing list