Bug 719060

Summary: ldapsearch using GSSAPI fails when A/PTR names do not match
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: jplans, jvcelak, ssorce, tsmetana
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-22 14:26:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2011-07-05 16:07:11 UTC 
Description of problem:
When testing IPA on a network where A/PTR names do not match it turned out that OpenLDAP/cyrus-sasl fail when using GSSAPI. Setting rdns = false in /etc/krb5.conf does not help. This is then causing ipa-client-install to fail unless the master is manually added to /etc/hosts. Other applications like ssh are able to cope with such a network environment now that bug 714823 has been fixed.

This can be reproduced also with plain ldapsearch:

$ kinit admin
Password for admin.EXAMPLE.COM: 
$ host master.ipa.test.example.com
master.ipa.test.example.com has address 10.21.231.91
$ host 10.21.231.91
91.231.21.10.in-addr.arpa domain name pointer server.net.example.com.
$ /usr/bin/ldapsearch -H ldap://master.ipa.test.example.com -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://master.ipa.test.example.com)
ldap_create
ldap_url_parse_ext(ldap://master.ipa.test.example.com:389/??base)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP master.ipa.test.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.231.91:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=server.net.example.com
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/TEST.EXAMPLE.COM.EXAMPLE.COM not found in Kerberos database)

After adding the master to /etc/hosts the connection is opened with correct hostname:

...
ldap_connect_to_host: TCP master.ipa.test.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.231.91:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=master.ipa.test.example.com
SASL/GSSAPI authentication started
...

Version-Release number of selected component (if applicable):
RHEL 6.1
Comment 2 Jan Vcelak 2011-08-22 14:26:38 UTC 
Hi.

Reverse lookup can be disabled by enabling SASL_NOCANON in ldap.conf or by setting LDAPSASL_NOCANON environmental variable. (At the library level, ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON) will do the trick.)

If enabled, hostname part from URI is used.

Therefore I believe this is not a bug and I'm closing it.

Jan
Comment 3 Marko Myllynen 2011-08-22 14:53:01 UTC 
Thanks for the info, I've filed bug 732468 to get ipa-client-install to use that functionality.