[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
problem with SASL authentication and Kerberos
I have a rather odd situation with OpenLDAP, GSSAPI, and SASL. I
recently changed my Kerberos KDC from MIT kerberos to Heimdal, and at
the same time, changed my Kerberos realm name. Prior to this I had
everything working fine.
I've got things working, mostly, but seem to be having a problem with
getting the OpenLDAP client tools to authenticate. This may be more of a
SASL problem, but I'm not certain.
In any case, since the changes above, I run kinit to get a kerberos
ticket. When I run klist I see something like below:
% klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: username@NEWREALM
Issued Expires Principal
Apr 7 09:06:19 Apr 7 19:06:19 krbtgt/NEWREALM@NEWREALM
V4-ticket file: /tmp/tkt1000
klist: No ticket file (tf_util)
This all looks like it should, but when I now run an ldapsearch, I get
the following error:
% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Server (krbtgt/OLDREALM@NEWREALM)
unknown)
So, it looks like it's trying to do some sort of cross-realm
authentication. My question is why? At what point does OpenLDAP (or
SASL) construct the krbtgt/OLDREALM principal above.
I've looked at everything I can think of, and can't figure out where
it's picking up the references to OLDREALM. Can anyone shed some light
on how the above krbtgt/OLDREALM principal name is constructed?
Thanks,
Jeff