[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/GSSAPI authentication problems - Invalid credentials

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: SASL/GSSAPI authentication problems - Invalid credentials
From: Ben Poliakoff <benp@reed.edu>
Date: Thu, 1 May 2003 09:44:40 -0700
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <22585896.1051627266@cadabra.stanford.edu>
References: <20030428233337.GA19094@tesuji.reed.edu> <1051575013.507.58.camel@gabriel> <20030429173128.GB23811@tesuji.reed.edu> <22585896.1051627266@cadabra.stanford.edu>
User-agent: Mutt/1.4.1i

* Quanah Gibson-Mount <quanah@stanford.edu> [030429 14:41]:
> >
> >In addition I'm able to get service tickets without any trouble:
> >
> >    benp@thingone openldap]$ /usr/local/heimdal/bin/klist
> >    Credentials cache: FILE:/tmp/krb5cc_25022_XsJjpG
> >            Principal: benp@REED.EDU
> >
> >      Issued           Expires          Principal
> >    Apr 29 09:46:24  Apr 29 19:46:24  krbtgt/REED.EDU@REED.EDU
> >    Apr 29 09:46:29  Apr 29 19:46:24  ldap/thingone.reed.edu@REED.EDU
> >
> >...and could find no problems in the kdc logs.  Just lots of entries
> >like this:
> >
> >Apr 28 11:30:29 kerberos-1 krb5kdc[10139](info): TGS_REQ (2 etypes {16
> >1}) 134.10.15.29(88): ISSUE: authtime 1051545504, etypes {rep=16 tkt=1
> >ses=1}, benp@REED.EDU for ldap/thingone.reed.edu@REED.EDU
> >
> >Thanks for the suggestions though!
> 
> Ben,
> 
> Your domains don't match.  i.e.,  ldap/thingone.reed.edu@REED.EDU does not 
> match ldap/thingone.REED.EDU@REED.EDU.  I'm not positive that this is the 
> problem, but I am fairly certain that capitalization does matter.  You may 
> wish to create a new ldap keytab with that capitalization and see if it 
> fixes the problem.  See the capitalization in your krbtgt ticket.
> 
> --Quanah

Hmm...  Thanks for this idea.  But I already have lots of krb5
enabled services (ssh, lprng, sendmail/smtp, cyrus-imap, wu-imap,
etc) and all of those services (including the SASL related ones,
all of which are using SASL2) have service principal names with the
"ldap/thingone.reed.edu@REED.EDU" capitalization pattern.

But just in case I tried creating a service principal
"ldap/thingone.REED.EDU@REED.EDU".  I had the same results, and my ldap
client (ldapwhoami) still retrieved a service ticket for the other
principal, "ldap/thingone.reed.edu@REED.EDU".

How baffling.  Perhaps I'll try building this whole thing up on a
different machine....

Anyone have any ideas what I might look for in slapd's debug output?

Ben

-- 
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp@reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

Attachment: pgpHLv69mXQlT.pgp
Description: PGP signature

Prev by Date: HELLP
Next by Date: RE: SASL/GSSAPI authentication problems - Invalid credentials
Index(es):
- Chronological
- Thread