Bug#696207: ldapsearch sets Kerberos principle incorrectly over IPv6

Mon, 17 Dec 2012 20:18:18 -0800 

Package: ldap-utils
Version: 2.4.31-1

When /etc/hosts contains only the IPv4 address of the server, everything
works.

root@tyla:~# ldapsearch  -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
uid=aspiers  -H ldap://sys11.ad.vpac.org/ -A  > /dev/null
SASL/GSSAPI authentication started
SASL username: administra...@ad.vpac.org
SASL SSF: 56
SASL data security layer installed.


If ldapsearch uses IPv6, then things don't work.


With libsasl2-modules-gssapi-mit installed.

root@tyla:~# ldapsearch  -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
uid=aspiers  -H ldap://sys11.ad.vpac.org/ -A
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Cannot
determine realm for numeric host address)


With libsasl2-modules-gssapi-heimdal installed.

root@tyla:~# ldapsearch  -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org
uid=aspiers  -H ldap://sys11.ad.vpac.org/ -A
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
 Miscellaneous failure (see text) (Matching credential (ldap/
2001:388:60ac:10d:214:85ff:fef6:8...@ad.vpac.org) not found)


It should not be trying to use ldap/
2001:388:60ac:10d:214:85ff:fef6:8...@ad.vpac.org, it should use the name I
specified on the command line, i.e. ldap/sys11.ad.vpac....@ad.vpac.org
-- 
Brian May <br...@microcomaustralia.com.au>

Reply via email to