ldap/ip_address instead of ldap/fqdn in Kerberos TGS-REQ

Posted on May 25, 2013 by Jianming Li

Contents

  1. Issue
  2. Cause
  3. Fix
  4. Misc
  5. References
 

Issue

For some reason, when using Kerberos ticket to authenticate to ldap server across domain, the fully qualified domain name (dc01.domain_b.net) was changed *automatically* to IP address in the TGS-Req.

From WireShark:

> Server Name (Unknown): ldap/192.168.1.70

It should be:

> Server Name (Unknown): ldap/dc01.domain_b.net

This is causing ‘Server not found in Kerberos database’ error message:

> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

Cause

The JNDI LDAP service provider client sets the SPN to ldap/ip_address if PTR record for the IP address resolves to a non-existent server name that can not be corroborated with an “A” record in DNS. This is part of Kerberos canonicalization. You have to ensure that your PTR records and A records align in DNS.

Fix

Add PTR record for dc01.domain_b.net in current domain name server so that reverse lookup is successful.

Before:

>nslookup 192.168.1.70
Server:  dc01.domain_a.net
Address:  10.10.11.22
 
*** dc01.domain_a.net can't find 192.168.1.70: Non-existent domain

After:

>nslookup 10.22.220.70
Server:  dc01.domain_a.net
Address:  10.10.11.22
 
Name:    dc01.domain_b.net
Address:  192.168.1.70

Misc

Java 7 seems to have resolve this issue?

References

https://forums.oracle.com/forums/thread.jspa?messageID=4694706

This entry was posted in kerberos, ldap and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.