Univention Bugzilla – Bug 39522
Kerberos based authentication for LDAP queries not working with non-Samba-AD-DCs
Last modified: 2019-01-03 07:17:25 CET
Currently it's not possible to search the LDAP directory of a UCS Domaincontroller that is not a Samba AD DC (if there are other UCS Samba AD DCs present in the domain) using a valid Kerberos ticket. Setup: 1x DC Master as Samba AD DC 1x DC Slave without Samba AD (e.g. Groupware) On the DC Slave execute the following as a domain user: > michael@ucssl03:~$ kinit > michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL Observed behaviour: > michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/ucssl03.mgrandje.local@MGRANDJE.LOCAL) not found) Expected behaviour: > michael@ucssl03:~$ ldapsearch uid=$USER dn -LLL > SASL/GSSAPI authentication started > SASL username: michael@MGRANDJE.LOCAL > SASL SSF: 56 > SASL data security layer installed. > dn: uid=michael,cn=users,dc=mgrandje,dc=local Additional information: This is working if: - the queried LDAP server is also a Samba AD DC - the queried LDAP server is not a Samba AD DC and there is no Samba AD DC at all in the domain This is failing if: - the queried LDAP server is not a Samba AD DC but there is at least one Samba AD DC in the domain
see also 2015100821000515
I guess it is a duplicate of Bug #32079. *** This bug has been marked as a duplicate of bug 32079 ***
Changing Component tag to S4-Connector, because we would need to adjust the S4-Connector to sync non-Samba-UCS-DCs as simple Windows Memberservers into the Samba/AD LDAP to fix this.
# udm kerberos/kdcentry list | sed -ne '/ldap/s/^DN: //p' krb5PrincipalName=ldap/ma43.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa krb5PrincipalName=ldap/sla33.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa # kinit Administrator # ldapwhoami -Y GSSAPI -H ldap://ma43.phahn.qa:7389 dn:uid=administrator,cn=users,dc=phahn,dc=qa # klist Apr 21 09:49:28 2018 Apr 21 19:45:05 2018 ldap/ma43.phahn.qa@ Apr 21 09:49:28 2018 Apr 21 19:45:05 2018 ldap/ma43.phahn.qa@PHAHN.QA # ldapwhoami -Y GSSAPI -H ldap://sla33.phahn.qa:7389 SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) # klist - This issue also is a blocker for setting up NFS with Kerberos in S4 environments: <https://help.univention.com/t/nfs4-export/3127/11> The work-around is to create SPN entries manually in S4 using samba-tool on the command-line - the linked thread for details.
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.