Closed kingluo closed 1 year ago
noirello
commented
1 year ago Sorry, but it looks like some very specific AD-related problem to your environment. I'm not an AD expert. Unfortunately, I can't even point you to a direction, where you can get some answers.
kingluo
commented
1 year ago Thanks for your reply! Does bonsai ci test AD with kerberos? I check the .appveyor/ dir, which is AD env setup? Or, could you share some info how to setup an AD with kerberos? Thank you.
| @.*** | |
|---|---|
@.*** |
---- Replied Message ---- | From | @.> | | Date | 03/07/2023 02:44 | | To | @.> | | Cc | jinhua @.>@.> | | Subject | Re: [noirello/bonsai] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified) (Issue #78) |
Sorry, but it looks like some very specific AD-related problem to your environment. I'm not an AD expert. Unfortunately, I can't even point you to a direction, where you can get some answers.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
noirello
commented
1 year ago Yes, it does. You can check the InstallAD PowerShell script. It installs and configures a DNS server and a single node Active Directory server.
kingluo
commented
1 year ago @noirello No luck too...
I check that .appveyor/ seems not to do something related to Kerberos. But then again, have you tried to test bonsai so that it does a successful GSSAPI bind to AD/Kerberos? If so, does it need some configuration or not, e.g. reverse DNS on AD?
Or, does bonsai only test with MIT/heimdal Kerberos + openldap?
kingluo
commented
1 year ago @noirello If I do not add SPN on AD, then I get "server not found in Kerberos database" error from KDC.
If I set SPN ldap/bonsai.test on AD, then I could get a service ticket from KDC, but later, I get "message stream modified" from the first bind response from AD.
noirello
commented
1 year ago The GSSAPI binding mechanism is tested on Windows with AD. It was quite a while ago, when I configured the appveyor test environment. The only thing that was unexpected a bit, that I had to use the FQDN (appveyor-vm.bonsai.test) instead of simply using bonsai.test.
kingluo
commented
1 year ago The GSSAPI binding mechanism is tested on Windows with AD. It was quite a while ago, when I configured the appveyor test environment. The only thing that was unexpected a bit, that I had to use the FQDN (
appveyor-vm.bonsai.test) instead of simply usingbonsai.test.
@noirello Do you test it manually or via CI? On Windows, GSSAPI uses SSPI automatically, right?
kingluo
commented
1 year ago @noirello I could use bonsai to access AD over Kerberos now, maybe it's really an FQDN issue, I still need to investigate. Thanks for your hints.
I'm setting up a windows AD domain service, and I need to access it via LDAP/GSSAPI/Kerberos.
But I encounter this issue: ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)
I could get the service ticket from Kerberos, but the ldap bind failed.
But I tried Linux kdc/openldap and that's ok.
Does it seem that there is somehow DNS issue? I don't know how to set up a correct AD domain service. I just need to verify the simplest ldap bind via Kerberos.
Do you have any idea where I am wrong?
Thank you very much!