719060 – ldapsearch using GSSAPI fails when A/PTR names do not match

Bug 719060 - ldapsearch using GSSAPI fails when A/PTR names do not match

Summary: ldapsearch using GSSAPI fails when A/PTR names do not match

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openldap
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Vcelak
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-05 16:07 UTC by Marko Myllynen
Modified:	2013-03-04 01:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-22 14:26:38 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Marko Myllynen 2011-07-05 16:07:11 UTC

Description of problem:
When testing IPA on a network where A/PTR names do not match it turned out that OpenLDAP/cyrus-sasl fail when using GSSAPI. Setting rdns = false in /etc/krb5.conf does not help. This is then causing ipa-client-install to fail unless the master is manually added to /etc/hosts. Other applications like ssh are able to cope with such a network environment now that bug 714823 has been fixed.

This can be reproduced also with plain ldapsearch:

$ kinit admin
Password for admin.EXAMPLE.COM: 
$ host master.ipa.test.example.com
master.ipa.test.example.com has address 10.21.231.91
$ host 10.21.231.91
91.231.21.10.in-addr.arpa domain name pointer server.net.example.com.
$ /usr/bin/ldapsearch -H ldap://master.ipa.test.example.com -Y GSSAPI -d 9
ldap_url_parse_ext(ldap://master.ipa.test.example.com)
ldap_create
ldap_url_parse_ext(ldap://master.ipa.test.example.com:389/??base)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP master.ipa.test.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.231.91:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=server.net.example.com
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/TEST.EXAMPLE.COM.EXAMPLE.COM not found in Kerberos database)

After adding the master to /etc/hosts the connection is opened with correct hostname:

...
ldap_connect_to_host: TCP master.ipa.test.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.231.91:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=master.ipa.test.example.com
SASL/GSSAPI authentication started
...

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Jan Vcelak 2011-08-22 14:26:38 UTC

Hi.

Reverse lookup can be disabled by enabling SASL_NOCANON in ldap.conf or by setting LDAPSASL_NOCANON environmental variable. (At the library level, ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON) will do the trick.)

If enabled, hostname part from URI is used.

Therefore I believe this is not a bug and I'm closing it.

Jan

Comment 3 Marko Myllynen 2011-08-22 14:53:01 UTC

Thanks for the info, I've filed bug 732468 to get ipa-client-install to use that functionality.

Note You need to log in before you can comment on or make changes to this bug.