Ben -
do you have multiple IPs on this box?
I've been fighting with this issue for 4 weeks.
I have managed to find some ways to get my system
to work, but I haven't investigated the long term effects.
no one here seems to have any clue about this.
If you want, send me a private message - although I'm
extremely new to ldap, I can tell you what I saw and
what I did.
Maybe if our issues are similar, we can post some message
here when/if we ever figure it out.
Scott
-----Original Message-----
From: Ben Poliakoff [mailto:benp@reed.edu]
Sent: Thursday, May 01, 2003 12:45 PM
To: Quanah Gibson-Mount
Cc: openldap-software@OpenLDAP.org
Subject: Re: SASL/GSSAPI authentication problems - Invalid credentials
* Quanah Gibson-Mount <quanah@stanford.edu> [030429 14:41]:
> >
> >In addition I'm able to get service tickets without any trouble:
> >
> > benp@thingone openldap]$ /usr/local/heimdal/bin/klist
> > Credentials cache: FILE:/tmp/krb5cc_25022_XsJjpG
> > Principal: benp@REED.EDU
> >
> > Issued Expires Principal
> > Apr 29 09:46:24 Apr 29 19:46:24 krbtgt/REED.EDU@REED.EDU
> > Apr 29 09:46:29 Apr 29 19:46:24 ldap/thingone.reed.edu@REED.EDU
> >
> >...and could find no problems in the kdc logs. Just lots of entries
> >like this:
> >
> >Apr 28 11:30:29 kerberos-1 krb5kdc[10139](info): TGS_REQ (2 etypes {16
> >1}) 134.10.15.29(88): ISSUE: authtime 1051545504, etypes {rep=16 tkt=1
> >ses=1}, benp@REED.EDU for ldap/thingone.reed.edu@REED.EDU
> >
> >Thanks for the suggestions though!
>
> Ben,
>
> Your domains don't match. i.e., ldap/thingone.reed.edu@REED.EDU does not
> match ldap/thingone.REED.EDU@REED.EDU. I'm not positive that this is the
> problem, but I am fairly certain that capitalization does matter. You may
> wish to create a new ldap keytab with that capitalization and see if it
> fixes the problem. See the capitalization in your krbtgt ticket.
>
> --Quanah
Hmm... Thanks for this idea. But I already have lots of krb5
enabled services (ssh, lprng, sendmail/smtp, cyrus-imap, wu-imap,
etc) and all of those services (including the SASL related ones,
all of which are using SASL2) have service principal names with the
"ldap/thingone.reed.edu@REED.EDU" capitalization pattern.
But just in case I tried creating a service principal
"ldap/thingone.REED.EDU@REED.EDU". I had the same results, and my ldap
client (ldapwhoami) still retrieved a service ticket for the other
principal, "ldap/thingone.reed.edu@REED.EDU".
How baffling. Perhaps I'll try building this whole thing up on a
different machine....
Anyone have any ideas what I might look for in slapd's debug output?
Ben
--
---------------------------------------------------------------------------
Ben Poliakoff email: <benp@reed.edu>
Reed College tel: (503)-788-6674
Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
**********************************************************************
This communication is confidential and is intended only for the person to whom it is addressed. If you are not that person you are not permitted to make use of the information and you are requested to notify Commerzbank Aktiengesellschaft, New York Branch immediately that you have received it and then to destroy the copy in your possession. Views expressed in this e-mail do not necessarily reflect the views of Commerzbank AG.
**********************************************************************