I’m encountering issues with Active Directory resolution using its Fully Qualified Domain Name (FQDN), and I’m facing difficulties setting up LDAP for Kerberos authentication. Has anyone experienced similar problems, and what steps can be taken to resolve these issues effectively? Any guidance or insights would be greatly appreciated
During initial SafeSquid setup we generally face issue while integrating LDAP for Kerberos authentication/ when using LDAP Bind Method as NEGOTIATE_LDAP_AUTH.
The LDAP server entry has been made and now when you look for LDAP entries, you’ll see that there are no LDAP entries.
We will now look at what safesquid logs has noticed.
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: cache_update:1956 manual/configuration update
2022 07 15 13:12:17.453 [LDAP Cache Manager] network: debug: writing 734 bytes to /usr/local/safesquid/security/krb5.conf file
2022 07 15 13:12:17.453 [LDAP Cache Manager] ldap: debug: prepare_krb_unlocked:196 dns stub: conserved
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.457 [LDAP Cache Manager] network: error: net_dns: retry:0 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:1 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns_p:3251 DNS: failed: ad.safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] network: error: net_dns: retry:2 host:[ad.safesquid.lab] getaddrinfo [-3:Temporary failure in name resolution]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: error: s_generate_keytab:410 dns failed: [ad.safesquid.lab]
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: init_routine_unlocked:264 connection not exists in pool for domain safesquid.lab
2022 07 15 13:12:17.458 [LDAP Cache Manager] ldap: debug: get_ld:1199 ad.safesquid.lab:389 max query limit:[0], 0 means no limit
2022 07 15 13:12:17.460 [LDAP Cache Manager] ldap: error: s_bind:2269 authentication failed for user:pratik@safesquid.lab [-1:Can't contact LDAP server]
As per the logs safesquid is unable to contact LDAP using its FQDN in our case it is ad.safesquid.lab
If you try to ping your active directory using FQDN you’ll get Temporary failure in name resolution
And similarly, if try nslookup active directory’s FQDN it fails to resolve the IP address.
But if try to resolve using the active director’s IP address it succeeds
(Note: Make sure the default server address is 127.0.0.1)
In case if you have the default nameserver as 127.0.0.53 which can be when installing SafeSquid using tarball
Update the nameserver by editing /etc/resolv.conf file
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
#nameserver 127.0.0.53
nameserver 127.0.0.1
search safesquid.lab
To resolve active directory using its FQDN you are required to make change in /etc/bind/named.conf.options file.
Below is the default named.conf.options configuration file.
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
max-cache-ttl 300;
max-ncache-ttl 300;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Update dnssec-validation value from auto to no
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
max-cache-ttl 300;
max-ncache-ttl 300;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Save the configuration file and restart bind9.serverice
systemctl restart bind9.service.
Now ping your active directory using it’s FQDN
In your LDAP entry section, you’ll now be able to view all your LDAP entries.
