<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:8pt"><div><span>I'm trying to follow the Kerberos howto guide at <a target="_blank" href="http://directory.fedoraproject.org/wiki/Howto:Kerberos">http://directory.fedoraproject.org/wiki/Howto:Kerberos</a> but am having an issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:</span><br>$ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o mech=GSSAPI -o authid="mcarey@STATION1.EXAMPLE.COM" -o authzid="mcarey@STATION1.EXAMPLE.COM" -b "dc=example,dc=com" "(cn=*)"<br>Bind Error: Invalid credentials<br>Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br><br>Attempt with OpenLDAP client:<br>$ /usr/bin/ldapsearch -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://station1.example.com -b "dc=example,dc=com"
"(cn=*)"<br>SASL/GSSAPI authentication started<br>ldap_sasl_interactive_bind_s: Invalid credentials (49)<br> additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br><br><br>Resulting in the following entries in the access log on the DS:<br># tail -5 access<br>[04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45 to 10.100.0.45<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0 etime=0<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1<br><br><br>From what I can tell the Kerberos infrastructure and OS components are setup accordingly:<br>GSSAPI is a viable SASL mechanism: <br>$ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base "(objectClass=*)" supportedSASLMechanisms<br>version:
1<br>dn:<br>supportedSASLMechanisms: EXTERNAL<br>supportedSASLMechanisms: DIGEST-MD5<br>supportedSASLMechanisms: GSSAPI<br>supportedSASLMechanisms: LOGIN<br>supportedSASLMechanisms: CRAM-MD5<br>supportedSASLMechanisms: ANONYMOUS<br>supportedSASLMechanisms: PLAIN<br><br>Directory Server keytab and contents:<br># grep "nsslapd-localuser" dse.ldif<br>nsslapd-localuser: nobody<br># ls -la ds.keytab <br>-rw------- 1 nobody nobody 172 Oct 3 13:21 ds.keytab<br># ktutil<br>ktutil: rkt ./ds.keytab<br>ktutil: l<br>slot KVNO Principal<br>---- ---- ---------------------------------------------------------------------<br> 1 3 ldap/station1.example.com@STATION1.EXAMPLE.COM<br> 2 3 ldap/station1.example.com@STATION1.EXAMPLE.COM<br># grep KRB /etc/sysconfig/dirsrv<br>KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME<br><br>SASL maps in Directory Server:<br>dn: cn=Kerberos uid
mapping,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: Kerberos uid mapping<br>nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)<br>nsSaslMapBaseDNTemplate: dc=\2,dc=\3<br>nsSaslMapFilterTemplate: (uid=\1)<br><br>dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: Station1 Kerberos Mapping<br>nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM<br>nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)<br>nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com<br><br>dn: cn=station1 map,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: example map<br>cn: station1 map<br>nsSaslMapRegexString: \(.*\)<br>nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com<br>nsSaslMapFilterTemplate: (cn=\1)<br><br>Getting a ticket from the KDC:<br>[mcarey@station1 ~]$ kdestroy<br>[mcarey@station1 ~]$ kinit<br>Password for
mcarey@STATION1.EXAMPLE.COM: <br>[mcarey@station1 ~]$ klist<br>Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20<br>Default principal: mcarey@STATION1.EXAMPLE.COM<br>Valid starting Expires Service principal<br>10/04/10 10:57:20 10/04/10 17:37:20 krbtgt/STATION1.EXAMPLE.COM@STATION1.EXAMPLE.COM<br>Kerberos 4 ticket cache: /tmp/tkt5000<br>klist: You have no tickets cached<br><br>Any help or pointers people have would be greatly appreciated. <br></div>
</div><br>
</body></html>