[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized

Dear Javier,
thanx a lot or your fast response!

> I assume you are using a single host for this tests.

No, actually only the ldap and the kerberos-server is on the
same machine. The Client is a VM at a Provider and I am
sitting myself outside, somewhere in the internet. On the
server the ports 389, 88, 749, 750 and 751 (udp & tcp) are
open - next to 22 of course ;)

> Check /etc/hosts, because debian/ubuntu has a strange
> (or something alike) there.

Indeed - I found a line with on the server and
changed it to its public IP.But unfortunally this does not
change anything. From both machines (the client as well
as from the server) I receive this "generic failure:
GSSAPI Error: An invalid name was supplied (Hostname
cannot be canonicalized)"

> Also, they tend to force local node resolution to
> there, so the reverse resolution check might fail.

This might be worth to analyze a little bit more in detail -
but actually there was a big error - in the hosts-file I
named the machine wrongly ".local" instead of ".com". I
changed the entry and set up the kerberos-DB again.
Unfortunately the error still remains :(

> The other thing that might be failing is the absence of
> a proper my.domain = MY.DOMAIN in the domain_realm
> section.

When I try to include the domain in the same way, as
other REALMS are already included like

	.mit.edu = ATHENA.MIT.EDU
	mit.edu = ATHENA.MIT.EDU
	mycompany.com = TESTREALM.LOCAL
	.mycompany.com = TESTREALM.LOCAL

I get an error-message
> [..] GSSAPI Error: Miscellaneous failure (Server not found [..]

(I think, that I have to read that part of the manual ..)

> try running ldapsearch specifiying node name or ad-
> dresses on command line, and that will might produce
> clarifiying messages.

Thank you for the hint, you are right. On the other side
I did not want to accidentally publish details, that may
harm the server.

I have to leave now and will resume on this (especially
review the ".local" and ".com"-error) tomorrow.

Thank you very much again!