Désactivation ipv6
IPV6 cause des interférences avec le bon fonctionnement de gssapi
Symptome : su www-admin -c " ldapsearch -LLL -Y gssapi -H ldap://se4ad.clg-hugo-gisors.ac-rouen.fr '(cn=toto)'" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
tcpdump montre les requetes gssapi qui partent sur le net via ipv6 un. oct. 01 18:00:24 root@se4fs.:~
# tcpdump host se4ad
18:00:56.158865 IP6 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706 > pc-123.home.ldap: Flags [S], seq 3420920623, win 28800, options [mss 1440,sackOK,TS val 57684 ecr 0,nop,wscale 6], length 0
18:00:56.158959 IP se4fs.clg-hugo-gisors.ac-rouen.fr.45679 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 36531+ PTR? 5.1.5.6.1.0.e.f.f.f.d.f.c.9.8.0.0.0.9.e.7.6.2.0.6.0.b.c.1.0.a.2.ip6.arpa. (90)
18:00:56.159021 IP6 pc-123.home.ldap > 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706: Flags [S.], seq 4027824110, ack 3420920624, win 28560, options [mss 1440,sackOK,TS val 18630526 ecr 57684,nop,wscale 6], length 0
18:00:56.159037 IP6 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706 > pc-123.home.ldap: Flags [.], ack 1, win 450, options [nop,nop,TS val 57684 ecr 18630526], length 0
18:00:56.159100 IP se4fs.clg-hugo-gisors.ac-rouen.fr.35150 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 26150+ PTR? 5.1.5.6.1.0.e.f.f.f.d.f.c.9.8.0.0.0.9.e.7.6.2.0.6.0.b.c.1.0.a.2.ip6.arpa. (90)
18:00:56.162977 IP se4ad.clg-hugo-gisors.ac-rouen.fr.domain > se4fs.clg-hugo-gisors.ac-rouen.fr.45679: 36531 1/0/0 PTR pc-123.home. (115)
18:00:56.163061 IP se4fs.clg-hugo-gisors.ac-rouen.fr.35646 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 21839+ PTR? c.5.7.9.0.7.e.f.f.f.a.e.e.9.8.0.0.0.9.e.7.6.2.0.6.0.b.c.1.0.a.2.ip6.arpa. (90)
18:00:56.180533 IP se4fs.clg-hugo-gisors.ac-rouen.fr.40446 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 62041+ SRV? _kerberos-master._tcp.CLG-HUGO-GISORS.AC-ROUEN.FR. (67)
18:00:56.180733 IP se4ad.clg-hugo-gisors.ac-rouen.fr.domain > se4fs.clg-hugo-gisors.ac-rouen.fr.40446: 62041 NXDomain* 0/0/0 (67)
18:00:56.181681 IP6 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706 > pc-123.home.ldap: Flags [P.], seq 1:8, ack 1, win 450, options [nop,nop,TS val 57690 ecr 18630526], length 7
18:00:56.181757 IP6 pc-123.home.ldap > 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706: Flags [.], ack 8, win 447, options [nop,nop,TS val 18630531 ecr 57690], length 0
18:00:56.181933 IP6 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706 > pc-123.home.ldap: Flags [F.], seq 8, ack 1, win 450, options [nop,nop,TS val 57690 ecr 18630531], length 0
18:00:56.182045 IP6 pc-123.home.ldap > 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706: Flags [F.], seq 1, ack 9, win 447, options [nop,nop,TS val 18630531 ecr 57690], length 0
18:00:56.182052 IP6 2a01cb060267e900089eeafffe70975c.ipv6.abo.wanadoo.fr.36706 > pc-123.home.ldap: Flags [.], ack 2, win 450, options [nop,nop,TS val 57690 ecr 18630531], length 0
18:00:58.425138 IP se4fs.clg-hugo-gisors.ac-rouen.fr.51261 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 48700+ A? se4fs.clg-hugo-gisors.ac-rouen.fr. (51)
18:00:58.425818 IP se4ad.clg-hugo-gisors.ac-rouen.fr.domain > se4fs.clg-hugo-gisors.ac-rouen.fr.51261: 48700* 1/1/0 A 10.127.164.106 (120)
18:01:01.195473 IP6 fe80::89e:eaff:fe70:975c > pc-123.home: ICMP6, neighbor solicitation, who has pc-123.home, length 32
18:01:01.195507 ARP, Request who-has se4ad.clg-hugo-gisors.ac-rouen.fr tell se4fs.clg-hugo-gisors.ac-rouen.fr, length 28
18:01:01.195663 IP se4fs.clg-hugo-gisors.ac-rouen.fr.33760 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 8999+ PTR? c.5.7.9.0.7.e.f.f.f.a.e.e.9.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
18:01:01.195676 IP6 pc-123.home > fe80::89e:eaff:fe70:975c: ICMP6, neighbor advertisement, tgt is pc-123.home, length 24
De plus j'ai des requêtes dns en boucle toutes les 4/5s
18:07:48.432295 IP se4fs.clg-hugo-gisors.ac-rouen.fr.54019 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 38380+ A? se4fs.clg-hugo-gisors.ac-rouen.fr. (51)
18:07:48.432929 IP se4ad.clg-hugo-gisors.ac-rouen.fr.domain > se4fs.clg-hugo-gisors.ac-rouen.fr.54019: 38380* 1/1/0 A 10.127.164.106 (120)
18:07:58.432356 IP se4fs.clg-hugo-gisors.ac-rouen.fr.58600 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 52288+ A? se4fs.clg-hugo-gisors.ac-rouen.fr. (51)
18:07:58.432947 IP se4ad.clg-hugo-gisors.ac-rouen.fr.domain > se4fs.clg-hugo-gisors.ac-rouen.fr.58600: 52288* 1/1/0 A 10.127.164.106 (120)
18:08:03.681870 ARP, Request who-has se4fs.clg-hugo-gisors.ac-rouen.fr tell se4ad.clg-hugo-gisors.ac-rouen.fr, length 28
18:08:03.681890 ARP, Reply se4fs.clg-hugo-gisors.ac-rouen.fr is-at 0a:9e:ea:70:97:5c (oui Unknown), length 28
18:08:08.432101 IP se4fs.clg-hugo-gisors.ac-rouen.fr.50117 > se4ad.clg-hugo-gisors.ac-rouen.fr.domain: 63098+ A? se4fs.clg-hugo-gisors.ac-rouen.fr. (51)
18:08:08.432631 IP se4ad.clg-hugo-gisors.ac-rouen.fr.domain > se4fs.clg-hugo-gisors.ac-rouen.fr.50117: 63098* 1/1/0 A 10.127.164.106 (120)
Une fois ipv6 désactivé, la requête gssapi fonctionne
Solution : désactiver ipv6 selon la méthode ci-dessous https://www.memoinfo.fr/tutoriels-linux/desactiver-ipv6-sur-debian/