Can't query AD using Kerberos from Linux host

active-directory openldap ldap

11,610

Solution 1

I've found that specifying "-O maxssf=0" on the ldapsearch command line is necessary in order for GSSAPI AD searches to work properly. The following command works for me to search the AD global catalog via a SSL connection:

ldapsearch -LLL -O maxssf=0 -Y GSSAPI -H ldaps://ad.realm.local:3269 -b "dc=realm,dc=local" '(sAMAccountName=userid)'

Also, in order for Kerberos authentication to work with ldapsearch, DNS must be properly configured for reverse IP lookups. If not, you'll get a "cannot determine realm for numeric host address" error. If necessary, you can put the IP and hostname of your AD server in your hosts file to get it working.

Solution 2

From the ldapsearch(1) manpage:

-Y mech
Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

For example:

ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=user

Assuming your /etc/gssapi_mech.conf looks something like:

# grep -v ^# /etc/gssapi_mech.conf
libgssapi_krb5.so.2             mechglue_internal_krb5_init

11,610

Author by

No One in Particular

Updated on September 18, 2022

Comments

No One in Particular over 1 year

ldapsearch -H <URL> -b <BASE> -s sub -D <USER> -x -w <PW>

works fine

kinit <USER>@<REALM>
ldapsearch -H <URL> -b <BASE> -s sub

fails with:

text: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

kinit Administrator@<REALM>
ldapsearch -H <URL> -b <BASE> -s sub

works fine also

The usual googling hasn't revealed anything of interest. (There is the usual comments regarding time skew and using a userPrincipalName vs component name for -D, but that should be taken care of when using kinit.)

Any ideas?

No One in Particular over 10 years

Why would the Administrator search work, but not the user search? They are both coming from the same box. It seems to me that the underlying GSSAPI mechanism would be the same in both cases.
dawud over 10 years

I don't know the restrictions that might be in place with regards to querying the AD, you might want to contact the system administrator to find out.
No One in Particular over 10 years

Administrator working tells me that Kerberos and DNS is configured correctly.
Brian Showalter over 10 years

OK, what platform are you running ldapsearch on? And what's in your /etc/ldap/ldap.conf file (or its equivalent)?
Michael-O about 8 years

@BrianShowalter -O maxssf=0 does not work these days because SASL would violate 4752 which Microsoft does. See this bug and my explanation to it. Additionally, forget about reverse DNS, Active Directory does not care about reverse DNS as well as Microsoft's Kerberos implementation. Everyone is advised to use rdns = false in his krb5.conf.