How do I use ldapsearch with a cross-realm ticket?

Question

kinit user@DOMAIN.TLD
klist -afe

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DOMAIN.TLD
Valid starting Expires Service principal
08/04/11 13:14:53 08/05/11 01:14:53 krbtgt/DOMAIN.TLD@DOMAIN.TLD
renew until 08/05/11 13:14:53, Flags: FRI
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
Addresses: (none)

ldapwhoami -h dc1.windows.domain.tld

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/dc1.windows.DOMAIN.TLD@DOMAIN.TLD not found in Kerberos database)

kvno ldap/dc1.windows.domain.tld@WINDOWS.DOMAIN.TLD
ldap/dc1.windows.domain.tld@WINDOWS.DOMAIN.TLD: kvno = 65

klist -afe

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@DOMAIN.TLD
Valid starting Expires Service principal
08/04/11 13:14:53 08/05/11 01:14:53 krbtgt/DOMAIN.TLD@DOMAIN.TLD
renew until 08/05/11 13:14:53, Flags: FRI
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
Addresses: (none)
08/04/11 13:24:35 08/05/11 01:14:53 krbtgt/WINDOWS.DOMAIN.TLD@DOMAIN.TLD
renew until 08/05/11 13:14:53, Flags: FRT
Etype (skey, tkt): des-cbc-crc, des-cbc-crc
Addresses: (none)
08/04/11 13:24:35 08/05/11 01:14:53 ldap/dc1.windows.domain.tld@WINDOWS.DOMAIN.TLD renew until 08/05/11 13:14:53, Flags: FR
Etype (skey, tkt): arcfour-hmac, arcfour-hmac
Addresses: (none)

ldapwhoami -h dc1.windows.domain.tld

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/dc1.windows.domain.tld@DOMAIN.TLD not found in Kerberos database)

score 1 · Accepted Answer · answered Aug 08 '11 at 16:11

Insufficient domain realm mapping.

Required either
krb5.conf:
[domain_realm]
windows.domain.tld = WINDOWS.DOMAIN.TLD
.windows.domain.tld = WINDOWS.DOMAIN.TLD
or
DNS:
_kerberos.windows.domain.tld. TXT "WINDOWS.DOMAIN.TLD"

Only had DNS:
_kerberos.domain.tld. IN TXT "DOMAIN.TLD"

score 0 · Answer 2 · answered Nov 07 '14 at 00:04

0

the ldapserver needs to be the first entry in /etc/hosts

192.168.1.5  fqdn.of.your.ad.server some.other.name and.another

If everything is correctly in dns, then remove the line from /etc/hosts all together.

answered Nov 07 '14 at 00:04

user252742

1

How do I use ldapsearch with a cross-realm ticket?

2 Answers2