Univention Bugzilla – Full Text Bug Listing |
Summary: | Kerberos based authentication for LDAP queries not working with non-Samba-AD-DCs | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | S4 Connector | Assignee: | Samba maintainers <samba-maintainers> |
Status: | RESOLVED WONTFIX | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | andree.hingst, C.Herrmann, gohmann, hahn, requate, stephan.hendl |
Version: | UCS 4.0 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=45904 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 1: Cosmetic issue or missing function but workaround exists |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 1: Nuisance – not a big deal but noticeable |
User Pain: | 0.017 | Enterprise Customer affected?: | Yes |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2015100821000515, 2018010221000341 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Michael Grandjean
2015-10-13 21:21:12 CEST
see also 2015100821000515 I guess it is a duplicate of Bug #32079. *** This bug has been marked as a duplicate of bug 32079 *** Changing Component tag to S4-Connector, because we would need to adjust the S4-Connector to sync non-Samba-UCS-DCs as simple Windows Memberservers into the Samba/AD LDAP to fix this. # udm kerberos/kdcentry list | sed -ne '/ldap/s/^DN: //p' krb5PrincipalName=ldap/ma43.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa krb5PrincipalName=ldap/sla33.phahn.qa@PHAHN.QA,cn=kerberos,dc=phahn,dc=qa # kinit Administrator # ldapwhoami -Y GSSAPI -H ldap://ma43.phahn.qa:7389 dn:uid=administrator,cn=users,dc=phahn,dc=qa # klist Apr 21 09:49:28 2018 Apr 21 19:45:05 2018 ldap/ma43.phahn.qa@ Apr 21 09:49:28 2018 Apr 21 19:45:05 2018 ldap/ma43.phahn.qa@PHAHN.QA # ldapwhoami -Y GSSAPI -H ldap://sla33.phahn.qa:7389 SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) # klist - This issue also is a blocker for setting up NFS with Kerberos in S4 environments: <https://help.univention.com/t/nfs4-export/3127/11> The work-around is to create SPN entries manually in S4 using samba-tool on the command-line - the linked thread for details. This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you. |