Unable to resolve active directory using it's FQDN/Failed to setup LDAP for Kerberos authentication

[Pratik]

During initial SafeSquid setup we generally face issue while integrating LDAP for Kerberos authentication/ when using LDAP Bind Method as NEGOTIATE_LDAP_AUTH.

image.png (95.53 KiB) Viewed 2874 times

The LDAP server entry has been made and now when you look for LDAP entries, you’ll see that there are no LDAP entries.

image.png (45.23 KiB) Viewed 2874 times

We will now look at what safesquid logs has noticed.

Code: Select all

2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: cache_update:1956 manual/configuration update
2022 07 15 13:12:17.453 [LDAP Cache Manager] network: debug: writing  734 bytes to /usr/local/safesquid/security/krb5.conf file
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: prepare_krb_unlocked:196 dns stub: conserved
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns: retry:0 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution] 
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:1 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution] 
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:2 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution] 
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: error: s_generate_keytab:410 dns failed: [ad.safesquid.lab]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: init_routine_unlocked:264 connection not exists in pool for domain safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: get_ld:1199 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
2022 07 15 13:12:17.460 [LDAP Cache Manager] ldap: error: s_bind:2269 authentication failed for user:pratik@safesquid.lab [-1:Can't contact LDAP server]

I have attached complete logs to detailed analysis.

ldaplog.txt

(6.33 KiB) Downloaded 43 times

As per the logs safesquid is unable to contact LDAP using its FQDN in our case it is ad.safesquid.lab
If you try to ping your active directory using FQDN you’ll get Temporary failure in name resolution

image.png (5.47 KiB) Viewed 2874 times

And similarly, if try nslookup active directory’s FQDN it fails to resolve the IP address.

image.png (26.66 KiB) Viewed 2874 times

But if try to resolve using the active director’s IP address it succeeds

image.png (35.31 KiB) Viewed 2874 times

(Note: Make sure the default server address is 127.0.0.1)
In case if you have the default nameserver as 127.0.0.53 which can be when installing SafeSquid using tarball

image.png (8.46 KiB) Viewed 2305 times

Update the nameserver by editing /etc/resolv.conf file

Code: Select all

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

#nameserver 127.0.0.53
nameserver 127.0.0.1
search safesquid.lab

To resolve active directory using its FQDN you are required to make change in /etc/bind/named.conf.options file.
Below is the default named.conf.options configuration file.

Code: Select all

options {

        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        max-cache-ttl 300;
        max-ncache-ttl 300;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Update dnssec-validation value from auto to no

Code: Select all

options {

        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation no;

        max-cache-ttl 300;
        max-ncache-ttl 300;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Save the configuration file and restart bind9.serverice

Code: Select all

systemctl restart bind9.service.

Now ping your active directory using it’s FQDN

image.png (90.24 KiB) Viewed 2874 times

In your LDAP entry section, you’ll now be able to view all your LDAP entries.

image.png (114.79 KiB) Viewed 2874 times