[30922] in Kerberos

home help back first fref pref prev next nref lref last post

RE: SASL authentication

daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Wed Mar 25 05:30:01 2009

From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Markus Moeller <huaraz@moeller.plus.com>,
   "kerberos@mit.edu"
	<kerberos@mit.edu>
Date: Wed, 25 Mar 2009 17:28:29 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <gqbroh$auj$1@ger.gmane.org>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

> -----Original Message-----
> From: kerberos-bounces@mit.edu 
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller
> Sent: Wednesday, March 25, 2009 7:53 AM
> To: kerberos@mit.edu
> Subject: Re: SASL authentication
> 
> You need to do nslookup sesswin2003.sesswin2003.com or 
> nslookup sesswin2003.com  or add a search path to your 
> resolv.conf file (e.g. search
> sesswin2003.com)

Yesterday, my resolve.conf was like this:
=================================
search sgp.fujixerox.com sesswin2003.com
nameserver 13.198.8.83 
nameserver 13.198.96.10 
nameserver 13.198.98.35
=================================
To my dismay, it didn't work. The hostname "sesswin2003" still couldn't be resolved to its IP address.

Today, with the help of our local SA, the file is changed to: 
=================================
search sgp.fujixerox.com sesswin2003.com
nameserver 13.198.98.35
nameserver 13.198.96.10
=================================
It seems the order of nameserver list is important. Quite strange. Or it may be the problem of some DNS server. Because if I put the nameserver 13.198.96.10 in front of 13.198.98.35, it still doesn't work. By right, if a hostname can't be located by the first nameserver, it should continue to look for the hostname in the second nameserver, right?

Anyway, now nslookup works perfectly:
=================================
qxu@durian(pts/1):/etc[17]$ nslookup sesswin2003
Server:         13.198.98.35
Address:        13.198.98.35#53

Name:   sesswin2003.sesswin2003.com
Address: 13.198.98.35

qxu@durian(pts/1):/etc[18]$ nslookup sesswin2003.sesswin2003.com
Server:         13.198.98.35
Address:        13.198.98.35#53

Name:   sesswin2003.sesswin2003.com
Address: 13.198.98.35
=================================
For me, it is quite promising. 

Then I did what Michael and Doug told me, i.e. kinit, klist and ldapsearch: 
=================================
qxu@durian(pts/1):/etc[19]$ kinit qxu@SESSWIN2003.COM
Password for qxu@SESSWIN2003.COM: 

qxu@durian(pts/1):/etc[20]$ klist 
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: qxu@SESSWIN2003.COM

Valid starting     Expires            Service principal
03/25/09 17:21:13  03/26/09 03:21:11  krbtgt/SESSWIN2003.COM@SESSWIN2003.COM
        renew until 03/26/09 17:21:13


Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached

qxu@durian(pts/1):/etc[21]$ ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=xuan' mail
SASL/GSSAPI authentication started
SASL username: qxu@SESSWIN2003.COM
SASL SSF: 56
SASL installing layers
dn: CN=xuan,CN=Users,DC=sesswin2003,DC=com
mail: Xuan.Shangguan@fujixerox.com

# refldap://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003,D
 C=com

# refldap://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003,D
 C=com

# refldap://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com
=================================
It works perfectly. Next I will use this as a bench against my own coding.

Thanks to all,
Xu Qiang
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post