[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds



"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
41234436.9080604@opentechnet.com">news:41234436.9080604@opentechnet.com...
> Robert wrote:
>
>     Sorry, but I don't know what else you would check... from my
> experience those internal errors are produced by some misconfiguration.
> Common causes for this: service ticket not found in keytab, server not
> able to access to keytab, using an alias instead of the canonical name
> of the machine, name of the machine not correctly configured in DNS
> (forward and reverse resolution needed),...
>

Jose, I finally figured out what it was.  I was also following the thread
from the sasl list:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6053.
Apparently, James Madill was having the exact same problem that I had.
There was a suggestion to run kinit -k.  I did that and I got an error
saying that the principal wasn't found.  To my surprise the missing
principal turned out to be host/pianta-scramble.  Shouldn't it be
host/pianta-scramble.fully-qualified.domain-name?

My /etc/hosts file contails
127.0.0.1               pianta-scramble localhost.localdomain localhost

My dns server has both forward and reverse mappings.  A lookup on the ip
address on the machine returns the fully qualified domain name of the
machine.  Is yours configured with the fully qualified domain name?

Another question:  How long does it take for saslauthd to authenticate a
kerberos user?  Mine takes a good 10+ seconds to return success.  If I use
the incorrect password, it returns failure in a split second.  How does
yours compare to this?  Can you think of why it is taking so long?

Thanks
Robert.