[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP + Kerberos not allowing simple binds
"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
41234436.9080604@opentechnet.com">news:41234436.9080604@opentechnet.com...
> Robert wrote:
>
> Sorry, but I don't know what else you would check... from my
> experience those internal errors are produced by some misconfiguration.
> Common causes for this: service ticket not found in keytab, server not
> able to access to keytab, using an alias instead of the canonical name
> of the machine, name of the machine not correctly configured in DNS
> (forward and reverse resolution needed),...
>
Jose, I finally figured out what it was. I was also following the thread
from the sasl list:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6053.
Apparently, James Madill was having the exact same problem that I had.
There was a suggestion to run kinit -k. I did that and I got an error
saying that the principal wasn't found. To my surprise the missing
principal turned out to be host/pianta-scramble. Shouldn't it be
host/pianta-scramble.fully-qualified.domain-name?
My /etc/hosts file contails
127.0.0.1 pianta-scramble localhost.localdomain localhost
My dns server has both forward and reverse mappings. A lookup on the ip
address on the machine returns the fully qualified domain name of the
machine. Is yours configured with the fully qualified domain name?
Another question: How long does it take for saslauthd to authenticate a
kerberos user? Mine takes a good 10+ seconds to return success. If I use
the incorrect password, it returns failure in a split second. How does
yours compare to this? Can you think of why it is taking so long?
Thanks
Robert.