[Pdns-users] Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

Dario García Díaz-Miguel dgdiaz at gmv.com
Mon Feb 22 06:51:38 UTC 2021 

Hello Michael,

Thank you so much for your reply.

I never had an issue with my Kerberos configuration but I don't know if pdns needs something else my services already deployed don't need.
I've my krb5.conf correctly configured according to my environment:

[libdefaults]
default_realm = EXAMPLE.COM
forwardable = false
proxiable = true
clockskew = 300
ignore_acceptor_hostname = false
noaddresses = false
dns_loookup_realm = false
dns_lookup_kdc = false
allow_weak_cryupto = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_tkt_enctypes = camellia256-cts-cmac
default_tgs_enctypes = camellia256-cts-cmac

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

[logging]

[realms]
EXAMPLE.COM = {
admin_server = server.example.com
kdc = server.example.com
kdc= serverbackup.example.com
}


About permissions:

-r--r-----1pdnspdns110Feb1812:49/etc/pdns.keytab

I gave a shell to the pdns user to test it:
usermod -S /bin/bash pdns
pdns at server:/> kinit -k -t /etc/pdns.keytab pdns/server.example.com

The ticket is being retrieved successfully.

But when the service pdns is trying to retrieve it:
[LdapBackend] LDAP Servers = ldaps://server.example.com
Conn=1543 fd=38 ACCEPT from IP=10.1.1.15:33668 (IP=10.1.1.15:636)
Conn=1543 fd=38 TLS established tls_ssf=256 ssf=256
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) )
[LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2
[LDAP GSSAPI] No TGT found, trying to acquire a new one
[LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by protocol

Since pdns is checking the kerberos cache at the very beginning before trying to ask for a ticket to the kdc, I tried to manually store a credential into a credential cache and configure it to the pdns property, just as a troubleshooting:

I checked the service principal id:

# id pdns/server.example.com
uid=30060 (pdns/server.example.com) gid=20000 (Services) groups=20000(Services)

I manually asked for a ticket and stored it into a ccache:

# kinit -k -t /etc/pdns.keytab -c /tmp/krb5cc_30060  pdns/server.example.com

I changed the default kerberos cache for pdns on pdns.conf:

ldap-krb5-ccache=/tmp/krb5cc_30060

And checked the ownership and permissions:

#ls -la /tmp/krb5cc_30060
-rw-rw-rw-1pdnspdns1116Feb1912:30/tmp/krb5cc_30060

Checked that it's being correctly stored using klist.

And still the same result...
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_30060) )
[LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2
[LDAP GSSAPI] No TGT found, trying to acquire a new one
[LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by protocol

Honestly, I don't know what could be happening.
If you have any idea about this, it would be very appreciated.

Thank you so much!

Kind Regards.









-----Mensaje original-----
Date: Fri, 19 Feb 2021 14:50:46 +0100
From: Michael Str?der <michael at stroeder.com>
To: "pdns-users at mailman.powerdns.com"
<pdns-users at mailman.powerdns.com>
Subject: Re: [Pdns-users] RV: Fatal Error: Trying to set unknown
parameter 'ldap-authmethod'
Message-ID: <8cc5a2e4-c647-8683-b3a6-13e2eda9cd09 at stroeder.com>
Content-Type: text/plain; charset=utf-8

On 2/19/21 10:31 AM, Dario Garc?a D?az-Miguel via Pdns-users wrote:
> I had to add to the /etc/openldap/ldap.conf the following parameter:
>
> SASL_MECH GSSAPI

FYI: If you don't want to set this globally you can set env var LDAPRC or LDAPCONF to point to a service-specific ldap.conf.

See the details in man-page ldap.conf(5).

> GSSAPI Error: Unspecified GSS failure. Minor code may provide more
> information (No Kerberos credentials available (default cache:
> /tmp/krb5cc_0) ) [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned
> -2 [LDAP GSSAPI] No TGT found, trying to acquire a new one [LDAP
> GSSAPI] krb5 error when getting the TGT: Address family not supported
> by protocol

Do you have a correctly configured /etc/krb5.conf? Again you can point to a service-specific Kerberos config with env var KRB5_CONFIG.

Also check ownership and permissions of your keytab file whether pdns can read it.

I'd also check whether it works to get a TGT with the keytab for the expected client principal name. Assuming you're running pdns as user pdns:

runuser -u pdns kinit -t /etc/pdns.keytab pdns-service-principal at REALM.EXAMPLE.COM

I don't have a kerberized setup so all of the above is just from memory.

Ciao, Michael.


------------------------------

Subject: Digest Footer

_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.powerdns.com_mailman_listinfo_pdns-2Dusers&d=DwICAg&c=CIoxZ4z5BqFvKvSGFOTo726QZIiNTc_M9CmngT-Pla4&r=s4b0BQg-AwMD3kIEG9JKyw&m=Zk6ve8IpUeR8S0tPa6VQKTXNpThmQju3bA50jXVeDZE&s=d7YTbKuN8RdfJKurFb7FBB9RxQIXP999Wi0oILsb-p8&e=


------------------------------

End of Pdns-users Digest, Vol 217, Issue 11
*******************************************

P Please consider the environment before printing this e-mail.

More information about the Pdns-users mailing list