Jump to content

Static Group Synchronization Failed, LDAP server authentication failed


i__k
 Share

Recommended Posts

I have installed ESET Remote Administrator 6 as Virtual on Hyper V.

Have managed to add this server to domain, to add domain user as administrator on it.

 

But when I run task to Sync Static Group of computers on domain I get this error: LDAP server authentication failed.

 

Have no idea what to do.

 

Ivan

Link to comment
Share on other sites

  • ESET Staff

What does server trace log say? There should be error about synchronisation.

 

If you are running ERA on Linux, then try 'kinit <username-without-domain>' from terminal to see if you are able to obtain kerberos ticket from a domain controller. If this works, then use same credentials in the synchronisation task.

Link to comment
Share on other sites

This one stumped me for awhile and I finally figured it out. I run Novell Domain Services for Windows to emulate my AD environement and I was having the same ldap issue. I did packet captures, ldap traces all kind of stuff. Once I determed the problem was on the appliance, this is my method of troubleshootnig and the way I solved it:

 

Synchronization Mode - Active Directory/Open Directory/LDAP

When attempting to browsing the directory it would immediately fail.

Found the the logv/var/log/eset/RemoteAdministrator/Server/trace.log

2015-03-31 17:10:42 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

2015-03-31 17:10:44 Error: CServerStaticGroupsModule [Thread 7fcc37be5700]: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

2015-03-31 17:10:44 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

 

This error points to permission problems with the krb5 keystore file.

Kinit works fine and klist shows:

[root@eset-us audit]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: User@DOMAIN.COM

Valid starting     Expires            Service principal
03/31/15 12:14:41  03/31/15 22:14:41  krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 04/01/15 12:14:47
03/31/15 12:14:42  03/31/15 22:14:41  ldap/server.domain.com@
renew until 04/01/15 12:14:47
03/31/15 12:14:42  03/31/15 22:14:41  ldap/server.domain.com@DOMAIN.COM
renew until 04/01/15 12:14:47

Looked at the keystore file /tmp/krb5cc_0

[root@eset-us tmp]# ls -l krb5cc_0
-rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0

[root@eset-us tmp]# ls -Z krb5cc_0
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 krb5cc_0

 

Looked in the SELINUX audit log and found:

type=AVC msg=audit(1427479161.221:395): avc:  denied  { unlink } for  pid=21111 comm="kinit" name="krb5cc_0" dev=dm-0 ino=262297 scontext=system_u:system_r:eraserver_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

showing that the keystore file was in the wrong context that SELINUX wanted it so it was denied access.

Edited the /etc/selinux/config file and changed the entries:

From: SELINUX=enforcing

To: SELINUX=permissive

Next reloaded SELINUX

semodule -R

I can't remember if I had to reboot or not but it started working.

Looked at the keystore file /tmp/krb5cc_0 again

[root@eset-us tmp]# ls -l krb5cc_0
-rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0

[root@eset-us tmp]# ls -Z krb5cc_0
-rw-------. root   root   system_u:object_r:eraserver_tmp_t:s0 krb5cc_0

Notice the context changed to match the what the audit log had expected. system_u and eraserver_tmp_t

 

Again edited the /etc/selinux/config file and changed the entries:

From: SELINUX=permissive

To: SELINUX=enforcing

Next reloaded SELINUX

semodule -R

Did not change after the reboot. So the browse function is still working.

 

Hope this helps :D

Link to comment
Share on other sites

The isses came to to SELINUX. Windows does not have SELINUX. SELINUX sets ACL on files and was not giving the erauser the correct rights to the eraserver. Windows would work completely different. Noting to do with Samba, LDAP or kerberos. They are working as they should be, but there mechanism did not have the correct access to the keystore.

 

Cheers,

 

John

Link to comment
Share on other sites

  • 1 month later...

/var/log/eset/RemoteAdministrator/Server# tail -f trace.log |grep Error
2015-05-14 06:56:18 Error: CServerStaticGroupsModule [Thread 7f66bcfe9700]: boost::process::find_executable_in_path: file not found: No such file or directory: "ldapsearch"
 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...