Static Group Synchronization Failed, LDAP server authentication failed

[i__k 0]

I have installed ESET Remote Administrator 6 as Virtual on Hyper V.

Have managed to add this server to domain, to add domain user as administrator on it.

 

But when I run task to Sync Static Group of computers on domain I get this error: LDAP server authentication failed.

 

Have no idea what to do.

 

Ivan

[michalp 20]

What does server trace log say? There should be error about synchronisation.

 

If you are running ERA on Linux, then try 'kinit <username-without-domain>' from terminal to see if you are able to obtain kerberos ticket from a domain controller. If this works, then use same credentials in the synchronisation task.

[i__k 0]

Kinit works OK for domain admin, and also for domain user.

Ivan

[JJJakus 0]

This one stumped me for awhile and I finally figured it out. I run Novell Domain Services for Windows to emulate my AD environement and I was having the same ldap issue. I did packet captures, ldap traces all kind of stuff. Once I determed the problem was on the appliance, this is my method of troubleshootnig and the way I solved it:

 

Synchronization Mode - Active Directory/Open Directory/LDAP

When attempting to browsing the directory it would immediately fail.

Found the the logv/var/log/eset/RemoteAdministrator/Server/trace.log

2015-03-31 17:10:42 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

2015-03-31 17:10:44 Error: CServerStaticGroupsModule [Thread 7fcc37be5700]: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)

2015-03-31 17:10:44 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache permissions incorrect)
 

This error points to permission problems with the krb5 keystore file.

Kinit works fine and klist shows:

[root@eset-us audit]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: User@DOMAIN.COM

Valid starting     Expires            Service principal
03/31/15 12:14:41  03/31/15 22:14:41  krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 04/01/15 12:14:47
03/31/15 12:14:42  03/31/15 22:14:41  ldap/server.domain.com@
renew until 04/01/15 12:14:47
03/31/15 12:14:42  03/31/15 22:14:41  ldap/server.domain.com@DOMAIN.COM
renew until 04/01/15 12:14:47

Looked at the keystore file /tmp/krb5cc_0

[root@eset-us tmp]# ls -l krb5cc_0
-rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0

[root@eset-us tmp]# ls -Z krb5cc_0
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 krb5cc_0
 

Looked in the SELINUX audit log and found:

type=AVC msg=audit(1427479161.221:395): avc:  denied  { unlink } for  pid=21111 comm="kinit" name="krb5cc_0" dev=dm-0 ino=262297 scontext=system_u:system_r:eraserver_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

showing that the keystore file was in the wrong context that SELINUX wanted it so it was denied access.

Edited the /etc/selinux/config file and changed the entries:

From: SELINUX=enforcing

To: SELINUX=permissive

Next reloaded SELINUX

semodule -R

I can't remember if I had to reboot or not but it started working.

Looked at the keystore file /tmp/krb5cc_0 again

[root@eset-us tmp]# ls -l krb5cc_0
-rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0

[root@eset-us tmp]# ls -Z krb5cc_0
-rw-------. root   root   system_u:object_r:eraserver_tmp_t:s0 krb5cc_0

Notice the context changed to match the what the audit log had expected. system_u and eraserver_tmp_t

 

Again edited the /etc/selinux/config file and changed the entries:

From: SELINUX=permissive

To: SELINUX=enforcing

Next reloaded SELINUX

semodule -R

Did not change after the reboot. So the browse function is still working.

 

Hope this helps

[jimwillsher 65]

Just curious, but why use ERA on Linux under Hyper-V? I have ERA on Server 2012 under Hyper-V and it works very well.

[JJJakus 0]

The isses came to to SELINUX. Windows does not have SELINUX. SELINUX sets ACL on files and was not giving the erauser the correct rights to the eraserver. Windows would work completely different. Noting to do with Samba, LDAP or kerberos. They are working as they should be, but there mechanism did not have the correct access to the keystore.

 

Cheers,

 

John

[Peter Randziak 1,130]

Hello,

 

this will be fixed in upcoming hot-fix release of the ERA.

 

P.R.

[JJJakus 0]

Hello,

 

this will be fixed in upcoming hot-fix release of the ERA.

 

P.R.

Great:-D

[evgen66rus 0]

/var/log/eset/RemoteAdministrator/Server# tail -f trace.log |grep Error
2015-05-14 06:56:18 Error: CServerStaticGroupsModule [Thread 7f66bcfe9700]: boost::process::find_executable_in_path: file not found: No such file or directory: "ldapsearch"