Unable to resolve active directory using it's FQDN/Failed to setup LDAP for Kerberos authentication
Posted: Fri Jul 15, 2022 1:48 pm
During initial SafeSquid setup we generally face issue while integrating LDAP for Kerberos authentication/ when using LDAP Bind Method as NEGOTIATE_LDAP_AUTH.
The LDAP server entry has been made and now when you look for LDAP entries, you’ll see that there are no LDAP entries.
We will now look at what safesquid logs has noticed.
I have attached complete logs to detailed analysis.
As per the logs safesquid is unable to contact LDAP using its FQDN in our case it is ad.safesquid.lab
If you try to ping your active directory using FQDN you’ll get Temporary failure in name resolution
And similarly, if try nslookup active directory’s FQDN it fails to resolve the IP address.
But if try to resolve using the active director’s IP address it succeeds
(Note: Make sure the default server address is 127.0.0.1)
In case if you have the default nameserver as 127.0.0.53 which can be when installing SafeSquid using tarball
Update the nameserver by editing /etc/resolv.conf file
To resolve active directory using its FQDN you are required to make change in /etc/bind/named.conf.options file.
Below is the default named.conf.options configuration file.
Update dnssec-validation value from auto to no
Save the configuration file and restart bind9.serverice
Now ping your active directory using it’s FQDN
In your LDAP entry section, you’ll now be able to view all your LDAP entries.
- image.png (95.53 KiB) Viewed 2875 times
- image.png (45.23 KiB) Viewed 2875 times
Code: Select all
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: cache_update:1956 manual/configuration update
2022 07 15 13:12:17.453 [LDAP Cache Manager] network: debug: writing 734 bytes to /usr/local/safesquid/security/krb5.conf file
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: prepare_krb_unlocked:196 dns stub: conserved
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns: retry:0 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:1 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:2 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: error: s_generate_keytab:410 dns failed: [ad.safesquid.lab]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: init_routine_unlocked:264 connection not exists in pool for domain safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: get_ld:1199 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
2022 07 15 13:12:17.460 [LDAP Cache Manager] ldap: error: s_bind:2269 authentication failed for user:pratik@safesquid.lab [-1:Can't contact LDAP server]
ldaplog.txt- (6.33 KiB) Downloaded 43 times
If you try to ping your active directory using FQDN you’ll get Temporary failure in name resolution
- image.png (5.47 KiB) Viewed 2875 times
- image.png (26.66 KiB) Viewed 2875 times
- image.png (35.31 KiB) Viewed 2875 times
In case if you have the default nameserver as 127.0.0.53 which can be when installing SafeSquid using tarball
- image.png (8.46 KiB) Viewed 2306 times
Code: Select all
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
#nameserver 127.0.0.53
nameserver 127.0.0.1
search safesquid.lab
Below is the default named.conf.options configuration file.
Code: Select all
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
max-cache-ttl 300;
max-ncache-ttl 300;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Code: Select all
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
max-cache-ttl 300;
max-ncache-ttl 300;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Code: Select all
systemctl restart bind9.service.- image.png (90.24 KiB) Viewed 2875 times
- image.png (114.79 KiB) Viewed 2875 times