[389-users] SASL and GSSAPI replication help - Error w/ Realm
Matt Wells
phanoko at gmail.com
Fri Mar 16 13:20:57 UTC 2012
Sorry, I forgot to mention that. Yes.
I used the ds.keytab and moved it to the krb5.keytab for testing.
2012/3/16 Anthony Messina <amessina at messinet.com>:
> On 03/15/2012 12:56 PM, Matt Wells wrote:
>> I have a multi-master configuration of 389-directory server. I'm
>> attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
>> Note this replication is not with Windows AD. It's LDAP to LDAP
>>
>> The error I get is -
>> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
>> credentials for principal [ldap/server1@] in keytab
>> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
>> for KDC in requested realm)
>> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
>> could not perform interactive bind for id [] mech [GSSAPI]: error -2
>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>> GSS failure. Minor code may provide more information (Credentials
>> cache file '/tmp/krb5cc_99' not found))
>> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
>> error)
>>
>> In kerberos all principles are created and in the /etc/krb5.keytab the
>> following exist; additionally the permissions have been set all the
>> way to 777 to ensure a permissions issue is not in play.
>>
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 2 host/server1 at EXAMPLE.COM
>> 2 2 host/server1 at EXAMPLE.COM
>> 3 2 host/server1 at EXAMPLE.COM
>> 4 2 host/server1 at EXAMPLE.COM
>> 5 2 host/server2 at EXAMPLE.COM
>> 6 2 host/server2 at EXAMPLE.COM
>> 7 2 host/server2 at EXAMPLE.COM
>> 8 2 host/server2 at EXAMPLE.COM
>> 9 3 ldap/server1 at EXAMPLE.COM
>> 10 3 ldap/server1 at EXAMPLE.COM
>> 11 3 ldap/server1 at EXAMPLE.COM
>> 12 3 ldap/server1 at EXAMPLE.COM
>> 13 3 ldap/server2 at EXAMPLE.COM
>> 14 3 ldap/server2 at EXAMPLE.COM
>> 15 3 ldap/server2 at EXAMPLE.COM
>> 16 3 ldap/server2 at EXAMPLE.COM
>>
>>
>> My question is the following -
>> Shouldn't my first error from above read
>> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
>> credentials for principal [ldap/server1 at EXAMPLE.COM]"
>> It makes sense to me that I am missing my realm, without that I of
>> course couldn't get my tgt from the kdc. But where do I define that
>> realm?
>> I've looked in the
>> cn=mapping,cn=sasl,cn=config
>> but have not seen a realm to define. I've tested for fun changing
>> these attributes but to no avail.
>>
>> nssaslmapbase dc=\2,dc=\3
>> mapregexstring \(.*\)@\(.*\)\.\(.*\)
>>
>>
>> Any help would be greatly appreciated!
>>
>>
>> Software Version -
>> RHEL 6.1
>> ---
>> 389-admin-1.1.25-1.el6.x86_64.rpm
>> 389-admin-console-1.1.8-1.el6.noarch.rpm
>> 389-adminutil-1.1.14-2.el6.x86_64.rpm
>> 389-console-1.1.7-1.el6.noarch.rpm
>> 389-ds-console-1.2.6-1.el6.noarch.rpm
>> 389-dsgw-1.1.7-2.el6.x86_64.rpm
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> Do you have:
>
> # In order to use SASL/GSSAPI (Kerberos) the directory
> # server needs to know where to find its keytab
> # file - uncomment the following line and set
> # the path and filename appropriately
> KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
>
> in you /etc/sysconfig/dirsrv? It sounds like your server isn't settup
> up it's credential cache at startup.
>
> --
> Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
> 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
- - Matt
Please note the new address and update your contact lists
More information about the 389-users
mailing list