Hi,<br><br>Try<br><br>kinit username<br><mdp><br>klist -e<br><br>/usr/bin/ldapsearch -Y GSSAPI -h <a href="http://station1.example.com/" target="_blank">station1.example.com</a> -b "dc=example,dc=com" "(cn=*)"<br>
<br>klist -e<br><you should see the additional ticket ldap/<a href="http://station1.example.com">station1.example.com</a>><br>At least, that's how it works in our system<br><br><br><div class="gmail_quote">2010/10/4 Matt Carey <span dir="ltr"><<a href="mailto:cvstealth2000@yahoo.com">cvstealth2000@yahoo.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div style="font-family: times new roman,new york,times,serif; font-size: 8pt;"><div><span>I'm trying to follow the Kerberos howto guide at <a href="http://directory.fedoraproject.org/wiki/Howto:Kerberos" target="_blank">http://directory.fedoraproject.org/wiki/Howto:Kerberos</a> but am having an issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:</span><br>
$ /usr/lib/mozldap/ldapsearch -h <a href="http://station1.example.com" target="_blank">station1.example.com</a> -p 389 -o mech=GSSAPI -o authid="<a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>" -o authzid="<a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>" -b "dc=example,dc=com" "(cn=*)"<br>
Bind Error: Invalid credentials<br>Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br><br>Attempt with OpenLDAP client:<br>$ /usr/bin/ldapsearch -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://<a href="http://station1.example.com" target="_blank">station1.example.com</a> -b "dc=example,dc=com"
"(cn=*)"<br>SASL/GSSAPI authentication started<br>ldap_sasl_interactive_bind_s: Invalid credentials (49)<br> additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br><br>
<br>Resulting in the following entries in the access log on the DS:<br># tail -5 access<br>[04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45 to 10.100.0.45<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI<br>
[04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0 etime=0<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1<br><br><br>From what I can tell the Kerberos infrastructure and OS components are setup accordingly:<br>
GSSAPI is a viable SASL mechanism: <br>$ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base "(objectClass=*)" supportedSASLMechanisms<br>version:
1<br>dn:<br>supportedSASLMechanisms: EXTERNAL<br>supportedSASLMechanisms: DIGEST-MD5<br>supportedSASLMechanisms: GSSAPI<br>supportedSASLMechanisms: LOGIN<br>supportedSASLMechanisms: CRAM-MD5<br>supportedSASLMechanisms: ANONYMOUS<br>
supportedSASLMechanisms: PLAIN<br><br>Directory Server keytab and contents:<br># grep "nsslapd-localuser" dse.ldif<br>nsslapd-localuser: nobody<br># ls -la ds.keytab <br>-rw------- 1 nobody nobody 172 Oct 3 13:21 ds.keytab<br>
# ktutil<br>ktutil: rkt ./ds.keytab<br>ktutil: l<br>slot KVNO Principal<br>---- ---- ---------------------------------------------------------------------<br> 1 3 ldap/<a href="http://station1.example.com" target="_blank">station1.example.com</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
2 3 ldap/<a href="http://station1.example.com" target="_blank">station1.example.com</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br># grep KRB /etc/sysconfig/dirsrv<br>KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME<br>
<br>SASL maps in Directory Server:<br>dn: cn=Kerberos uid
mapping,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: Kerberos uid mapping<br>nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)<br>nsSaslMapBaseDNTemplate: dc=\2,dc=\3<br>nsSaslMapFilterTemplate: (uid=\1)<br>
<br>dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: Station1 Kerberos Mapping<br>nsSaslMapRegexString: (.*)@<a href="http://STATATION1.EXAMPLE.COM" target="_blank">STATATION1.EXAMPLE.COM</a><br>
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)<br>nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com<br><br>dn: cn=station1 map,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>
cn: example map<br>cn: station1 map<br>nsSaslMapRegexString: \(.*\)<br>nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com<br>nsSaslMapFilterTemplate: (cn=\1)<br><br>Getting a ticket from the KDC:<br>[mcarey@station1 ~]$ kdestroy<br>
[mcarey@station1 ~]$ kinit<br>Password for
<a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>: <br>[mcarey@station1 ~]$ klist<br>Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20<br>Default principal: <a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a><br>
Valid starting Expires Service principal<br>10/04/10 10:57:20 10/04/10 17:37:20 krbtgt/<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
Kerberos 4 ticket cache: /tmp/tkt5000<br>klist: You have no tickets cached<br><br>Any help or pointers people have would be greatly appreciated. <br></div>
</div><br>
</div><br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>