[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds

To: openldap-software@OpenLDAP.org
Subject: Re: LDAP + Kerberos not allowing simple binds
From: "Robert" <Robertedstrom@yahoo.com>
Date: Wed, 18 Aug 2004 21:28:58 -0500
References: <cfjfh0$cal$1@sea.gmane.org> <411E29BE.6050002@opentechnet.com> <cflbqr$dql$1@sea.gmane.org> <411E3889.5080205@opentechnet.com> <cfle8n$io6$1@sea.gmane.org> <411E7C85.2090002@opentechnet.com> <cfp144$jjp$1@sea.gmane.org> <41210F4D.2030904@opentechnet.com> <cfs79d$umn$1@sea.gmane.org> <41234436.9080604@opentechnet.com>

"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
41234436.9080604@opentechnet.com">news:41234436.9080604@opentechnet.com...
> Robert wrote:
>
>     Sorry, but I don't know what else you would check... from my
> experience those internal errors are produced by some misconfiguration.
> Common causes for this: service ticket not found in keytab, server not
> able to access to keytab, using an alias instead of the canonical name
> of the machine, name of the machine not correctly configured in DNS
> (forward and reverse resolution needed),...
>

Jose, I finally figured out what it was.  I was also following the thread
from the sasl list:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6053.
Apparently, James Madill was having the exact same problem that I had.
There was a suggestion to run kinit -k.  I did that and I got an error
saying that the principal wasn't found.  To my surprise the missing
principal turned out to be host/pianta-scramble.  Shouldn't it be
host/pianta-scramble.fully-qualified.domain-name?

My /etc/hosts file contails
127.0.0.1               pianta-scramble localhost.localdomain localhost

My dns server has both forward and reverse mappings.  A lookup on the ip
address on the machine returns the fully qualified domain name of the
machine.  Is yours configured with the fully qualified domain name?

Another question:  How long does it take for saslauthd to authenticate a
kerberos user?  Mine takes a good 10+ seconds to return success.  If I use
the incorrect password, it returns failure in a split second.  How does
yours compare to this?  Can you think of why it is taking so long?

Thanks
Robert.

Follow-Ups:
- Re: LDAP + Kerberos not allowing simple binds
  - From: Howard Chu <hyc@symas.com>

References:
- LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>

Prev by Date: FIXED Re: ldapmodify
Next by Date: SASL GSSAPI authentication error -please help
Index(es):
- Chronological
- Thread