[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds



Robert wrote:

"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
41210F4D.2030904@opentechnet.com">news:41210F4D.2030904@opentechnet.com...


Robert wrote:

   There should be something more in the logs indicating the cause of
the errors... a few things that may cause this... not using the
canonical name of the machine, slapd not having access to the keytabs...




I am at the end of my rope here. The logs don't show anything else apart from [reason=saslauthd internal error].

saslauthd -d -V -m /var/run/saslauthd -a kerberos5
saslauthd[27157] :main            : num_procs  : 5
saslauthd[27157] :main            : mech_option: NULL
saslauthd[27157] :main            : run_path   : /var/run/saslauthd
saslauthd[27157] :main            : auth_mech  : kerberos5
saslauthd[27157] :ipc_init        : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[27157] :detach_tty      : master pid is: 0
saslauthd[27157] :ipc_init        : listening on socket:
/var/run/saslauthd/mux
saslauthd[27157] :main            : using process model
saslauthd[27157] :have_baby       : forked child: 27158
saslauthd[27157] :have_baby       : forked child: 27159
saslauthd[27157] :have_baby       : forked child: 27160
saslauthd[27157] :have_baby       : forked child: 27161
saslauthd[27157] :get_accept_lock : acquired accept lock
saslauthd[27157] :rel_accept_lock : released accept lock
saslauthd[27158] :get_accept_lock : acquired accept lock
saslauthd[27157] :do_auth         : auth failure: [user=user] [service=ldap]
[realm=KERBEROS.REALMNAME] [mech=kerberos5] [reason=saslauthd internal
error]

On the kerberos side, I get

Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: NEEDED_PREAUTH: user@KERBEROS.REALM for
krbtgt/KERBEROS.REALM@KERBEROS.REALM, Additional pre-authentication required
Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: NEEDED_PREAUTH: user@KERBEROS.REALM for
krbtgt/KERBEROS.REALM@KERBEROS.REALM, Additional pre-authentication required
Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: ISSUE: authtime 1092721841, etypes {rep=16 tkt=16
ses=16}, user@KERBEROS.REALM for krbtgt/KERBEROS.REALM@KERBEROS.REALM
Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: ISSUE: authtime 1092721841, etypes {rep=16 tkt=16
ses=16}, user@KERBEROS.REALM for krbtgt/KERBEROS.REALM@KERBEROS.REALM


The bad thing is that the finish line is right in front of me but I can't cross it. I can do everything kerberos-wise. I can kinit, klist, kpasswd as the user. Testsaslauthd still fails.

Please help.



Sorry, but I don't know what else you would check... from my experience those internal errors are produced by some misconfiguration. Common causes for this: service ticket not found in keytab, server not able to access to keytab, using an alias instead of the canonical name of the machine, name of the machine not correctly configured in DNS (forward and reverse resolution needed),...