Description of problem: Active Directory Test Domain failed Version-Release number of selected component (if applicable): openldap-clients-2.4.33-3.fc18.x86_64 How reproducible: Follow steps described in https://fedoraproject.org/wiki/Features/ActiveDirectory/TestBed Steps to Reproduce: Testing against a corporate active directory domain with Windows 2003 servers 1. $ host DCA.CCUL.JUNTA-ANDALUCIA.ES 2. $ host **.**.*.** 3. $ host -t SRV _kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES 4. $ host -t SRV _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES 5. $ kinit juanj.marin.JUNTA-ANDALUCIA.ES 6. $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI Actual results: ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base ) SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Expected results: ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base ) SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. u:DCA\user Additional info: session output: 1. $ host DCA.CCUL.JUNTA-ANDALUCIA.ES DCA.CCUL.JUNTA-ANDALUCIA.ES has address ***.***.***.*** DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.* DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.** DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.** DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.** DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.** DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.* DCA.CCUL.JUNTA-ANDALUCIA.ES has address **.**.**.* DCA.CCUL.JUNTA-ANDALUCIA.ES has address ***.**.**.* (Removed real values) 2. $ host **.**.*.** 14.0.34.10.in-addr.arpa domain name pointer tartesos.dca.ccul.junta-andalucia.es. 3. $ host -t SRV _kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES _kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 gades.dca.ccul.junta-andalucia.es. _kerberos._udp.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 tartesos.dca.ccul.junta-andalucia.es. 4. $ host -t SRV _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 tartesos.dca.ccul.junta-andalucia.es. _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 hercules.dca.ccul.junta-andalucia.es. _kerberos._tcp.dc._msdcs.DCA.CCUL.JUNTA-ANDALUCIA.ES has SRV record 0 100 88 gades.dca.ccul.junta-andalucia.es. 5. $ kinit juanj.marin.JUNTA-ANDALUCIA.ES Password for juanj.marin.JUNTA-ANDALUCIA.ES: 6. $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base ) SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece $ klist -eTicket cache: DIR::/run/user/1000/krb5cc_a7141926b82971a9383e29c4512e05fb/tktATQTvs Default principal: juanj.marin.JUNTA-ANDALUCIA.ES Valid starting Expires Service principal 02/27/13 15:07:37 02/28/13 01:07:37 krbtgt/DCA.CCUL.JUNTA-ANDALUCIA.ES.JUNTA-ANDALUCIA.ES renew until 03/06/13 15:07:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 02/27/13 15:08:18 02/28/13 01:07:37 ldap/tartesos.dca.ccul.junta-andalucia.es@ renew until 03/06/13 15:07:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 02/27/13 15:08:18 02/28/13 01:07:37 ldap/tartesos.dca.ccul.junta-andalucia.es.JUNTA-ANDALUCIA.ES renew until 03/06/13 15:07:32, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
Juanjo, please, can you try regular ldapsearch instead of ldapwhoami?
Can you please tell the specific command you want me to try ?
Yes, I can. Try this: ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base +
This is the output from this command: $ ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base + SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
Juanjo, shot in the dark: What happens when you add this to your krb5.conf file? [libdefaults] rdns = true Additionally what happens when you remove your krb5.conf file?
1) change file /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] rdns = true dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true # default_realm = EXAMPLE.COM [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM 2) $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base ) SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece 3) $ ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base + SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 -------------------- 1) $ sudo mv /etc/krb5.conf /etc/krb5.conf.bk 2) $ ldapwhoami -v -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI ldap_initialize( ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES:389/??base ) SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece 3) $ ldapsearch -H ldap://DCA.CCUL.JUNTA-ANDALUCIA.ES -Y GSSAPI -b "" -s base + SASL/GSSAPI authentication started SASL username: juanj.marin.JUNTA-ANDALUCIA.ES SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
That's what I thought. As you can see, the authentication was successful. Your configuration on Linux side is correct. But your version of AD server doesn't support whoami extended operation, therefore you are receiving the error. Closing this report as NOTABUG.