Jump to content

Archived

This topic is now archived and is closed to further replies.

i__k

Static Group Synchronization Failed, LDAP server authentication failed

Recommended Posts

I have installed ESET Remote Administrator 6 as Virtual on Hyper V.

Have managed to add this server to domain, to add domain user as administrator on it.

 

But when I run task to Sync Static Group of computers on domain I get this error: LDAP server authentication failed.

 

Have no idea what to do.

 

Ivan

Share this post


Link to post
Share on other sites

What does server trace log say? There should be error about synchronisation.

 

If you are running ERA on Linux, then try 'kinit <username-without-domain>' from terminal to see if you are able to obtain kerberos ticket from a domain controller. If this works, then use same credentials in the synchronisation task.

Share this post


Link to post
Share on other sites

Kinit works OK for domain admin, and also for domain user.

Ivan

Share this post


Link to post
Share on other sites

This one stumped me for awhile and I finally figured it out. I run Novell Domain Services for Windows to emulate my AD environement and I was having the same ldap issue. I did packet captures, ldap traces all kind of stuff. Once I determed the problem was on the appliance, this is my method of troubleshootnig and the way I solved it:

 

Synchronization Mode - Active Directory/Open Directory/LDAP

When attempting to browsing the directory it would immediately fail.

Found the the logv/var/log/eset/RemoteAdministrator/Server/trace.log

2015-03-31 17:10:42 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

2015-03-31 17:10:44 Error: CServerStaticGroupsModule [Thread 7fcc37be5700]: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

2015-03-31 17:10:44 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

 

This error points to permission problems with the krb5 keystore file.

Kinit works fine and klist shows:

[root@eset-us audit]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: User@DOMAIN.COM

Valid starting     Expires            Service principal
03/31/15 12:14:41  03/31/15 22:14:41  krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 04/01/15 12:14:47
03/31/15 12:14:42  03/31/15 22:14:41  ldap/server.domain.com@
renew until 04/01/15 12:14:47
03/31/15 12:14:42  03/31/15 22:14:41  ldap/server.domain.com@DOMAIN.COM
renew until 04/01/15 12:14:47

Looked at the keystore file /tmp/krb5cc_0

[root@eset-us tmp]# ls -l krb5cc_0
-rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0

[root@eset-us tmp]# ls -Z krb5cc_0
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 krb5cc_0

 

Looked in the SELINUX audit log and found:

type=AVC msg=audit(1427479161.221:395): avc:  denied  { unlink } for  pid=21111 comm="kinit" name="krb5cc_0" dev=dm-0 ino=262297 scontext=system_u:system_r:eraserver_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

showing that the keystore file was in the wrong context that SELINUX wanted it so it was denied access.

Edited the /etc/selinux/config file and changed the entries:

From: SELINUX=enforcing

To: SELINUX=permissive

Next reloaded SELINUX

semodule -R

I can't remember if I had to reboot or not but it started working.

Looked at the keystore file /tmp/krb5cc_0 again

[root@eset-us tmp]# ls -l krb5cc_0
-rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0

[root@eset-us tmp]# ls -Z krb5cc_0
-rw-------. root   root   system_u:object_r:eraserver_tmp_t:s0 krb5cc_0

Notice the context changed to match the what the audit log had expected. system_u and eraserver_tmp_t

 

Again edited the /etc/selinux/config file and changed the entries:

From: SELINUX=permissive

To: SELINUX=enforcing

Next reloaded SELINUX

semodule -R

Did not change after the reboot. So the browse function is still working.

 

Hope this helps :D

Share this post


Link to post
Share on other sites

Just curious, but why use ERA on Linux under Hyper-V? I have ERA on Server 2012 under Hyper-V and it works very well.

Share this post


Link to post
Share on other sites

The isses came to to SELINUX. Windows does not have SELINUX. SELINUX sets ACL on files and was not giving the erauser the correct rights to the eraserver. Windows would work completely different. Noting to do with Samba, LDAP or kerberos. They are working as they should be, but there mechanism did not have the correct access to the keystore.

 

Cheers,

 

John

Share this post


Link to post
Share on other sites

Hello,

 

this will be fixed in upcoming hot-fix release of the ERA.

 

P.R.

Great:-D

Share this post


Link to post
Share on other sites

/var/log/eset/RemoteAdministrator/Server# tail -f trace.log |grep Error
2015-05-14 06:56:18 Error: CServerStaticGroupsModule [Thread 7f66bcfe9700]: boost::process::find_executable_in_path: file not found: No such file or directory: "ldapsearch"
 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...