Re: SASL/GSSAPI authentication problems - Invalid credentials

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, April 29, 2003 10:31 AM -0700 Ben Poliakoff <benp@reed.edu> 
wrote:

> * Chris Maxwell <source@gateweaver.com> [030428 17:35]:
> > Did you test SASL to ensure it is talking to heimdal properly?
> >
> > in one shell:
> > saslauthd -a kerberos5 -d -m <mux path>
> >
> > in another:
> > testsaslauthd -u username -p password -r REALM -s ldap -f <mux path>
> >
> > KDC logs are also a good place to look, since invalid credentials means
> > just that ... that Openldap appears to be working correctly.
>
> Yes, I tried testsaslauthd as you detailed above and it has not trouble
> authenticating.
>
> In addition I'm able to get service tickets without any trouble:
>
>     benp@thingone openldap]$ /usr/local/heimdal/bin/klist
>     Credentials cache: FILE:/tmp/krb5cc_25022_XsJjpG
>             Principal: benp@REED.EDU
>
>       Issued           Expires          Principal
>     Apr 29 09:46:24  Apr 29 19:46:24  krbtgt/REED.EDU@REED.EDU
>     Apr 29 09:46:29  Apr 29 19:46:24  ldap/thingone.reed.edu@REED.EDU
>
> ...and could find no problems in the kdc logs.  Just lots of entries
> like this:
>
> Apr 28 11:30:29 kerberos-1 krb5kdc[10139](info): TGS_REQ (2 etypes {16
> 1}) 134.10.15.29(88): ISSUE: authtime 1051545504, etypes {rep=16 tkt=1
> ses=1}, benp@REED.EDU for ldap/thingone.reed.edu@REED.EDU
>
> Thanks for the suggestions though!

Ben,

Your domains don't match.  i.e.,  ldap/thingone.reed.edu@REED.EDU does not 
match ldap/thingone.REED.EDU@REED.EDU.  I'm not positive that this is the 
problem, but I am fairly certain that capitalization does matter.  You may 
wish to create a new ldap keytab with that capitalization and see if it 
fixes the problem.  See the capitalization in your krbtgt ticket.

--Quanah


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html