Can't query AD using Kerberos from Linux host
Solution 1
I've found that specifying "-O maxssf=0" on the ldapsearch command line is necessary in order for GSSAPI AD searches to work properly. The following command works for me to search the AD global catalog via a SSL connection:
ldapsearch -LLL -O maxssf=0 -Y GSSAPI -H ldaps://ad.realm.local:3269 -b "dc=realm,dc=local" '(sAMAccountName=userid)'
Also, in order for Kerberos authentication to work with ldapsearch, DNS must be properly configured for reverse IP lookups. If not, you'll get a "cannot determine realm for numeric host address" error. If necessary, you can put the IP and hostname of your AD server in your hosts file to get it working.
Solution 2
From the ldapsearch(1)
manpage:
-Y mech
Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
For example:
ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=user
Assuming your /etc/gssapi_mech.conf
looks something like:
# grep -v ^# /etc/gssapi_mech.conf
libgssapi_krb5.so.2 mechglue_internal_krb5_init
No One in Particular
Updated on September 18, 2022Comments
-
No One in Particular over 1 year
ldapsearch -H <URL> -b <BASE> -s sub -D <USER> -x -w <PW>
works fine
kinit <USER>@<REALM> ldapsearch -H <URL> -b <BASE> -s sub
fails with:
text: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 kinit Administrator@<REALM> ldapsearch -H <URL> -b <BASE> -s sub
works fine also
The usual googling hasn't revealed anything of interest. (There is the usual comments regarding time skew and using a
userPrincipalName
vs component name for-D
, but that should be taken care of when usingkinit
.)Any ideas?
-
No One in Particular over 10 yearsWhy would the Administrator search work, but not the user search? They are both coming from the same box. It seems to me that the underlying GSSAPI mechanism would be the same in both cases.
-
dawud over 10 yearsI don't know the restrictions that might be in place with regards to querying the AD, you might want to contact the system administrator to find out.
-
No One in Particular over 10 yearsAdministrator working tells me that Kerberos and DNS is configured correctly.
-
Brian Showalter over 10 yearsOK, what platform are you running ldapsearch on? And what's in your /etc/ldap/ldap.conf file (or its equivalent)?
-
Michael-O about 8 years@BrianShowalter
-O maxssf=0
does not work these days because SASL would violate 4752 which Microsoft does. See this bug and my explanation to it. Additionally, forget about reverse DNS, Active Directory does not care about reverse DNS as well as Microsoft's Kerberos implementation. Everyone is advised to userdns = false
in hiskrb5.conf
.