719060 – ldapsearch using GSSAPI fails when A/PTR names do not match

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 719060 - ldapsearch using GSSAPI fails when A/PTR names do not match

Summary: ldapsearch using GSSAPI fails when A/PTR names do not match

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Vcelak
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-05 16:07 UTC by Marko Myllynen
Modified:	2013-03-04 01:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-22 14:26:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marko Myllynen 2011-07-05 16:07:11 UTC

Description of problem:
When testing IPA on a network where A/PTR names do not match it turned out that OpenLDAP/cyrus-sasl fail when using GSSAPI. Setting rdns = false in /etc/krb5.conf does not help. This is then causing ipa-client-install to fail unless the master is manually added to /etc/hosts. Other applications like ssh are able to cope with such a network environment now that bug 714823 has been fixed.

This can be reproduced also with plain ldapsearch:

$ kinit admin
Password for admin.EXAMPLE.COM: 
$ host master.ipa.test.example.com
master.ipa.test.example.com has address 10.21.231.91
$ host 10.21.231.91
91.231.21.10.in-addr.arpa domain name pointer server.net.example.com.
$ /usr/bin/ldapsearch -H ldap://master.ipa.test.example.com -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://master.ipa.test.example.com)
ldap_create
ldap_url_parse_ext(ldap://master.ipa.test.example.com:389/??base)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP master.ipa.test.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.231.91:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=server.net.example.com
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/TEST.EXAMPLE.COM.EXAMPLE.COM not found in Kerberos database)

After adding the master to /etc/hosts the connection is opened with correct hostname:

...
ldap_connect_to_host: TCP master.ipa.test.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.231.91:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=master.ipa.test.example.com
SASL/GSSAPI authentication started
...

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Jan Vcelak 2011-08-22 14:26:38 UTC

Hi.

Reverse lookup can be disabled by enabling SASL_NOCANON in ldap.conf or by setting LDAPSASL_NOCANON environmental variable. (At the library level, ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON) will do the trick.)

If enabled, hostname part from URI is used.

Therefore I believe this is not a bug and I'm closing it.

Jan

Comment 3 Marko Myllynen 2011-08-22 14:53:01 UTC

Thanks for the info, I've filed bug 732468 to get ipa-client-install to use that functionality.

Note You need to log in before you can comment on or make changes to this bug.