Re: GSSAPI error

[Stephen Torri <storri@sbcglobal.net>]

On Mon, 2002-07-22 at 02:04, Hans Aschauer wrote:
> Are you shure that you have a valid kerberos TGT, i.e. did you say 
> 'kinit' or log in via klogin? You can check that by 'klist'.

As user 'torri'
  klist reports: klist: Permission denied while initializing krb5
  kinit reports: kinit(v5): Permission denied while initializing
Kerberos 5 library.

As user 'root'
  klist reports tickets for user.
  kinit: Principal is torri@TORRI.LINUX (previous attempt to do kinit
when using 'su' as torri.)

So I definitely have a Kerberos configuration problem.

> For the authorization name, it is usually enough to press enter (at 
> least, as long as you didn't set up your directory accordingly). As 
> soon as you have a TGT, gssapi knows 'who' you are, and it knows your 
> credentials.

Ok.

> A third thing: the attribute is called 'supportedSASLMechanisms' 
> (instead of 'supportedMechanisms').

Right. Sorry for the typing error.

> If you do not yet have a working Kerberos environment, you could issue
> 
> ldapsearch -x -H ldap://alpha.torri.linux/  -b "" -s base -LLL \ 
> supportedSASLMechanisms
> 
> (note the change from -I to -x, which will do an anonymous simple bind)

I did:

ldapsearch -H ldap://alpha.torri.linux -x -b "" -s base -LLL \
supportedSASLMechanisms

Result:

dn:
supportedSASLMechanisms: GSSAPI

Ok. So I did it for ldaps and got the same result. Afterward I tried to
use -I and press Enter when it asked for authorizing name using the user
'root' with valid Kerberos ticket. It failed. I received the GSSAPI
error as I reported before.

Stephen