{"id":7722,"date":"2013-05-25T11:33:06","date_gmt":"2013-05-25T16:33:06","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=7722"},"modified":"2013-07-06T11:07:15","modified_gmt":"2013-07-06T16:07:15","slug":"ldapip_address-instead-of-ldapfqdn-in-kerberos-tgs-req","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=7722","title":{"rendered":"ldap\/ip_address instead of ldap\/fqdn in Kerberos TGS-REQ"},"content":{"rendered":"<div class='toc wptoc'>\n<h2>Contents<\/h2>\n<ol class='toc-odd level-1'>\n\t<li>\n\t\t<a href=\"#Issue\">Issue<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Cause\">Cause<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Fix\">Fix<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Misc\">Misc<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#References\">References<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n<div class='wptoc-end'>&nbsp;<\/div>\n<span id=\"Issue\"><h2>Issue<\/h2><\/span>\n<p>For some reason, when using Kerberos ticket to authenticate to ldap server across domain, the fully qualified domain name (dc01.domain_b.net) was changed *automatically* to IP address in the TGS-Req.<\/p>\n<p>From WireShark:<\/p>\n<p>> Server Name (Unknown): ldap\/192.168.1.70<\/p>\n<p>It should be:<\/p>\n<p>> Server Name (Unknown): ldap\/dc01.domain_b.net<\/p>\n<p>This is causing &#8216;Server not found in Kerberos database&#8217; error message:<\/p>\n<p>> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))<\/p>\n<span id=\"Cause\"><h2>Cause<\/h2><\/span>\n<p>The JNDI LDAP service provider client sets the SPN to ldap\/ip_address if PTR record for the IP address resolves to a non-existent server name that can not be corroborated with an &#8220;A&#8221; record in DNS. This is part of Kerberos canonicalization. You have to ensure that your PTR records and A records align in DNS.<\/p>\n<span id=\"Fix\"><h2>Fix<\/h2><\/span>\n<p>Add <strong>PTR record<\/strong> for <em>dc01.domain_b.net<\/em> in <strong>current<\/strong> domain name server so that reverse lookup is successful.<\/p>\n<p>Before:<\/p>\n<pre lang=\"bash\">\r\n>nslookup 192.168.1.70\r\nServer:  dc01.domain_a.net\r\nAddress:  10.10.11.22\r\n\r\n*** dc01.domain_a.net can't find 192.168.1.70: Non-existent domain\r\n<\/pre>\n<p>After:<\/p>\n<pre lang=\"bash\">\r\n>nslookup 10.22.220.70\r\nServer:  dc01.domain_a.net\r\nAddress:  10.10.11.22\r\n\r\nName:    dc01.domain_b.net\r\nAddress:  192.168.1.70\r\n<\/pre>\n<span id=\"Misc\"><h2>Misc<\/h2><\/span>\n<p>Java 7 seems to have resolve this issue?<\/p>\n<span id=\"References\"><h2>References<\/h2><\/span>\n<p><a href=\"https:\/\/forums.oracle.com\/forums\/thread.jspa?messageID=4694706\">https:\/\/forums.oracle.com\/forums\/thread.jspa?messageID=4694706<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Issue For some reason, when using Kerberos ticket to authenticate to ldap server across domain, the fully qualified domain name (dc01.domain_b.net) was changed *automatically* to IP address in the TGS-Req. From WireShark: > Server Name (Unknown): ldap\/192.168.1.70 It should be: &hellip; <a href=\"https:\/\/jianmingli.com\/wp\/?p=7722\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[287,34],"tags":[628,566],"class_list":["post-7722","post","type-post","status-publish","format-standard","hentry","category-kerberos","category-ldap","tag-kerberos","tag-ldap"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-20y","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/7722","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7722"}],"version-history":[{"count":7,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/7722\/revisions"}],"predecessor-version":[{"id":7755,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/7722\/revisions\/7755"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7722"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7722"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}