Re: Problems with GSSAPI

[Stephen Torri <storri@sbcglobal.net>]

On Mon, 2002-08-19 at 07:11, paul wrote:
> Stephen Torri wrote:
> > The system setup I have is:
> > 
> > RedHat 7.2
> > Linux kernel 2.4.9-32.5
> > Kerberos: krb5,libs,devel,workstation,server 1.2.4-1
> > OpenLDAP: openldap,clients,server 2.0.21-1
> > OpenSSL: 0.9.6b-8
> > Cyrus-SASL: 2.1.5-2
> > 
> > User 'root' can obtain a kerberos ticket but the default principal is
> > not root@TORRI.LINUX. Its default rincipcal is torri@TORRI.LINUX. With
> > this in mind when I try:
> >
> The ID of the principal is not important so far. As I know GSSAPI is 
> just *authentication* based on kerberos.
> 
> > ldapsearch -H ldaps:/// -I -b"" -s base -LLL supportedSASLMechanisms.
> > 
> > I get back:
> > 
> > ldap_sasl_interactive_bind_s: Unknown error
> >   additional info: GSSAPI: gss_acquire_cred: miscellaneous failure:
> >   Permission denied.
> 
> Please turn on debugging.

Can you give a listing of the debug levels that are helpful?

> -Have you created a service principal for ldap like:
> 	ldap/your.domain.com@YOURREALM?
> 
> -Have you added that principal to your keytab file?
> -Is this keytab file readable for slapd?

The permissions on the file were root(owner) root(group) (0600). So I
changed it to be 0644. That took care of root's inability to
authenticate. It did not clear up the problem.

I tried to do the above command as user 'root' with a kerberos ticket
for principal 'torri@TORRI.LINUX'. This time I got back the error:

Can't contact LDAP server.

> 
> ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf (best docu I found)

I will download that. Thanks.

Stephen