Can't query AD using Kerberos from Linux host

active-directory ldap openldap

I've found that specifying "-O maxssf=0" on the ldapsearch command line is necessary in order for GSSAPI AD searches to work properly. The following command works for me to search the AD global catalog via a SSL connection:

ldapsearch -LLL -O maxssf=0 -Y GSSAPI -H ldaps://ad.realm.local:3269 -b "dc=realm,dc=local" '(sAMAccountName=userid)'

Also, in order for Kerberos authentication to work with ldapsearch, DNS must be properly configured for reverse IP lookups. If not, you'll get a "cannot determine realm for numeric host address" error. If necessary, you can put the IP and hostname of your AD server in your hosts file to get it working.


From the ldapsearch(1) manpage:

-Y mech
Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

For example:

ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=user

Assuming your /etc/gssapi_mech.conf looks something like:

# grep -v ^# /etc/gssapi_mech.conf
libgssapi_krb5.so.2             mechglue_internal_krb5_init

Related

How to make NTP work despite a high offset?
How to limit number of sessions?
Communicate within same EC2 Security Group
Run included ansible task as standalone task
OpenSSL always shows "unsupported" for all subjectAltName "otherName" UTF8 values
new DNS zone with Forward to external DNS
How do I generate an IAM policy for making snapshots?
Remount root RW without reboot
How do I access a google cloud storage bucket using a service account from the command line?
Packet captures: filtering on RX vs TX
Unable to map a network drive from a Windows NT PC, to a Windows 2000 PC
Possible to authenticate Samba via Kerberos but without domain-join?