Bug 916195

Summary: Active Directory Test Domain failed
Product: [Fedora] Fedora Reporter: Juanjo Marin <juanj.marin>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: jsynacek, jv+fedora, rmeggins, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-04 10:21:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juanjo Marin 2013-02-27 14:12:56 UTC 
Description of problem:

Active Directory Test Domain failed

Version-Release number of selected component (if applicable):
openldap-clients-2.4.33-3.fc18.x86_64

How reproducible:
Follow steps described in
https://fedoraproject.org/wiki/Features/ActiveDirectory/TestBed



Steps to Reproduce:
Testing against a corporate active directory domain with Windows 2003 servers

1. $ host DCA.CCUL.JUNTA-ANDALUCIA.ES
2. $ host **.**.*.**
3. $ host -t SRV _kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES
4. $ host -t SRV _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES
5. $ kinit juanj.marin.JUNTA-ANDALUCIA.ES
6. $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI

  
Actual results:

ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base )
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
	additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece
Result: Protocol error (2)
Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece


Expected results:
ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base )
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
u:DCA\user



Additional info:

session output:

1. $ host DCA.CCUL.JUNTA-ANDALUCIA.ES
DCA.CCUL.JUNTA-ANDALUCIA.ES has address ***.***.***.***
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.*
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.**
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.**
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.**
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.**
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.*
DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.*
DCA.CCUL.JUNTA-ANDALUCIA.ES has address ***.**.**.*

(Removed real values)

2. $ host **.**.*.**
14.0.34.10.in-addr.arpa domain name pointer tartesos.dca.ccul.junta-andalucia.es.

3. $ host -t SRV _kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES
_kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 gades.dca.ccul.junta-andalucia.es.
_kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 tartesos.dca.ccul.junta-andalucia.es.

4. $ host -t SRV _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES
_kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 tartesos.dca.ccul.junta-andalucia.es.
_kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 hercules.dca.ccul.junta-andalucia.es.
_kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 gades.dca.ccul.junta-andalucia.es.

5. $ kinit juanj.marin.JUNTA-ANDALUCIA.ES
Password for juanj.marin.JUNTA-ANDALUCIA.ES:

6. $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI
ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base )
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
	additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece
Result: Protocol error (2)
Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece



$ klist -eTicket cache: DIR::/run/user/1000/krb5cc_a7141926b82971a9383e29c4512e05fb/tktATQTvs
Default principal: juanj.marin.JUNTA-ANDALUCIA.ES

Valid starting     Expires            Service principal
02/27/13 15:07:37  02/28/13 01:07:37  krbtgt/DCA.CCUL.JUNTA-ANDALUCIA.ES.JUNTA-ANDALUCIA.ES
	renew until 03/06/13 15:07:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
02/27/13 15:08:18  02/28/13 01:07:37  ldap/tartesos.dca.ccul.junta-andalucia.es@
	renew until 03/06/13 15:07:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
02/27/13 15:08:18  02/28/13 01:07:37  ldap/tartesos.dca.ccul.junta-andalucia.es.JUNTA-ANDALUCIA.ES
	renew until 03/06/13 15:07:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
Comment 1 Jan Včelák 2013-02-27 16:22:53 UTC 
Juanjo, please, can you try regular ldapsearch instead of ldapwhoami?
Comment 2 Juanjo Marin 2013-03-01 14:10:49 UTC 
Can you please tell the specific command you want me to try ?
Comment 3 Jan Včelák 2013-03-02 14:49:33 UTC 
Yes, I can. Try this:

ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base +
Comment 4 Juanjo Marin 2013-03-04 07:27:25 UTC 
This is the output from this command:

$ ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base +
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
#

#
dn:

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 5 Stef Walter 2013-03-04 08:15:24 UTC 
Juanjo, shot in the dark: 

What happens when you add this to your krb5.conf file?

[libdefaults]
rdns = true

Additionally what happens when you remove your krb5.conf file?
Comment 6 Juanjo Marin 2013-03-04 09:11:13 UTC 
1) change file /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 rdns = true
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
# default_realm = EXAMPLE.COM

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

2) $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI
ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base )
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
	additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece
Result: Protocol error (2)
Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece

3) $ ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base +
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
#

#
dn:

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

--------------------

1) $ sudo mv /etc/krb5.conf /etc/krb5.conf.bk

2) $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI
ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base )
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
	additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece
Result: Protocol error (2)
Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece

3) $ ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base +
SASL/GSSAPI authentication started
SASL username: juanj.marin.JUNTA-ANDALUCIA.ES
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: + 
#

#
dn:

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 7 Jan Včelák 2013-03-04 10:21:36 UTC 
That's what I thought. As you can see, the authentication was successful. Your configuration on Linux side is correct. But your version of AD server doesn't support whoami extended operation, therefore you are receiving the error.

Closing this report as NOTABUG.