ldapsearch: Hostname cannot be canonicalized - LDAP + Kerberos

Hello!

I can’t discover what that error means… :confused:
I can ping host using his FQDN name.

# ldapsearch -H ldap://plhqsrldap01 -d 1
ldap_url_parse_ext(ldap://plhqsrldap01)
ldap_create
ldap_url_parse_ext(ldap://plhqsrldap01:389/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP plhqsrldap01:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.50.10.210:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0xb78011a0 msgid 1
wait4msg ld 0xb78011a0 msgid 1 (infinite timeout)
wait4msg continue ld 0xb78011a0 msgid 1 all 1
** ld 0xb78011a0 Connections:
* host: plhqsrldap01  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jan 17 02:07:17 2012


** ld 0xb78011a0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb78011a0 request count 1 (abandoned 0)
** ld 0xb78011a0 Response Queue:
   Empty
  ld 0xb78011a0 response count 0
ldap_chkResponseList ld 0xb78011a0 msgid 1 all 1
ldap_chkResponseList returns ld 0xb78011a0 NULL
ldap_int_select
read1msg: ld 0xb78011a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 46 contents:
read1msg: ld 0xb78011a0 msgid 1 message type search-entry
wait4msg continue ld 0xb78011a0 msgid 1 all 1
** ld 0xb78011a0 Connections:
* host: plhqsrldap01  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Jan 17 02:07:17 2012


** ld 0xb78011a0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb78011a0 request count 1 (abandoned 0)
** ld 0xb78011a0 Response Queue:
 * msgid 1,  type 100
  ld 0xb78011a0 response count 1
ldap_chkResponseList ld 0xb78011a0 msgid 1 all 1
ldap_chkResponseList returns ld 0xb78011a0 NULL
ldap_int_select
read1msg: ld 0xb78011a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0xb78011a0 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xb78011a0 0 new referrals
read1msg:  mark request completed, ld 0xb78011a0 msgid 1
request done: ld 0xb78011a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
adding response ld 0xb78011a0 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_int_sasl_open: host=plhqsrldap01.testit.pl.10.50.10.in-addr.arpa
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Hostname cannot be canonicalized)

On Tue, 17 Jan 2012 00:16:03 +0000, rysic wrote:

> ldap_int_sasl_open: host=plhqsrldap01.testit.pl.10.50.10.in-addr.arpa
> SASL/GSSAPI authentication started
> ldap_err2string
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: An invalid
> name was supplied (Hostname cannot be canonicalized)

It seems that the reverse lookup is failing - do you have an in-addr.arpa
entry (ie a reverse-lookup entry) for the LDAP server?

It may be that the problem is that the hostname used and the reverse
lookup aren’t matching. What happens if you use the full DNS name of the
server instead of just the hostname?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I tried plhqsrldap01.testit.pl and no difference.

I suppose that you are right in DNS config. I tested ping and nslookup:


# ping plhqsrldap01
PING plhqsrldap01.testit.pl (10.50.10.210) 56(84) bytes of data.
64 bytes from plhqsrldap01.testit.pl.10.50.10.in-addr.arpa (10.50.10.210): icmp_req=1 ttl=64 time=4.00 ms
^C
--- plhqsrldap01.testit.pl ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.000/4.000/4.000/0.000 ms


# nslookup plhqsrldap01
Server:         10.50.10.101
Address:        10.50.10.101#53

Name:   plhqsrldap01.testit.pl
Address: 10.50.10.210


# nslookup 10.50.10.210
Server:         10.50.10.101
Address:        10.50.10.101#53

210.10.50.10.in-addr.arpa       name = plhqsrldap01.testit.pl.10.50.10.in-addr.arpa.


DNS looks like that:


# cat /var/lib/named/master/10.50.10.in-addr.arpa
$TTL 86400
$ORIGIN 10.50.10.in-addr.arpa.
@       IN      SOA     plhqsrdns01.testit.pl. root.testit.pl. (
        2011230512      ;;      seria
        1200            ;;      refresh
        1200            ;;      retry
        2419200         ;;      expire
        86400           ;;      TTL
)
10.50.10.in-addr.arpa.  IN      NS      plhqsrdns01.testit.pl.
10.50.10.in-addr.arpa.  IN      NS      plhqsrdns02.testit.pl.
170     IN      PTR     plhqsrkrb01.testit.pl.
210     IN      PTR     plhqsrldap01.testit.pl


# cat /var/lib/named/master/testit.pl
$TTL 86400
$ORIGIN testit.pl.
@       IN      SOA     plhqsrdns01.testit.pl. root.testit.pl. (
        2011230506      ;;      seria
        1200            ;;      refresh
        1200            ;;      retry
        2419200         ;;      expire
        86400           ;;      TTL
)
@       IN      NS      plhqsrdns01.testit.pl.
@       IN      NS      plhqsrdns02.testit.pl.
@       IN      MX      10      plhqsrmail01.testit.pl
@       IN      A       10.50.10.101
plhqsrkrb01     IN      A       10.50.10.170
plhqsrldap01    IN      A       10.50.10.210

I think that I must remove that part plhqsrldap01.testit.pl**.10.50.10.in-addr.arpa.** in DNS somehow?

I get it! There was no dot!!! :slight_smile:
Thank you! Finally connection to LDAP via Kerberos authentication is working! :slight_smile:

Thank you very much! :slight_smile:

On Tue, 17 Jan 2012 11:26:02 +0000, rysic wrote:

> I get it! There was no dot!!! :slight_smile:
> Thank you! Finally connection to LDAP via Kerberos authentication is
> working! :slight_smile:
>
> Thank you very much! :slight_smile:

Glad to hear you got it working. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C