[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch: ldap_sasl_interactive_bind_s: Local error (-2)



hello everyone,

the topic already says what this is all about.
and this is how I achieve this error message...

first of all I do a klist -e -5 to see wheter I got a valid tgt ticket or not..

playground:/etc# klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser2@LINUX.LOCAL

Valid starting     Expires            Service principal
10/24/05 11:06:19  10/24/05 21:06:19  krbtgt/LINUX.LOCAL@LINUX.LOCAL
        renew until 10/24/05 21:06:19, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5

(good)

next I try a simple (-x) ldapsearch.. (works, good).
now it's getting more interesting:

playground:/usr/src/# ldapsearch "(cn=test)" -v
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)

unfortunately this error message is not very descriptive..at least for me.
So I went on and logged some packets..

1. Lightweight Directory Access Protocol, Search Request
     Message Id: 1
     Message Type: Search Request (0x03)
     Message Length: 57
     Base DN: (null)
     Scope: Base (0x00)
     Dereference: Never (0x00)
     Size Limit: 0
     Time Limit: 0
     Attributes Only: False
     Filter: (objectclass=*)
     Attribute: supportedSASLMechanisms


2. Lightweight Directory Access Protocol, Search Entry
     Message Id: 1
     Message Type: Search Entry (0x04)
     Message Length: 87
     Response To: 1
     Time: 0.000108000 seconds
     Distinguished Name: (null)
     Attribute: supportedSASLMechanisms
          Value: GSSAPI
          Value: GSS-SPNEGO
          Value: EXTERNAL
          Value: DIGEST-MD5
   Lightweight Directory Access Protocol, Search Result
     Message Id: 1
     Message Type: Search Result (0x05)
     Message Length: 7
     Response To: 1
     Time: 0.000108000 seconds
     Result Code: success (0x00)
     Matched DN: (null)
     Error Message: (null)


3. Lightweight Directory Access Protocol, Bind Request
     Message Id: 2
     Message Type: Bind Request (0x00)
     Message Length: 1201
     Version: 3
     DN: (null)
     Auth Type: SASL (0x03)
     Mechanism: GSSAPI
     GSS-API Token
          GSS-API
               OID: 1.2.840.113554.1.2.2 (iso.2.840.113554.1.2.2)
(KRB5 - Kerberos 5)
               krb5_blob: 01006E82048730820483A003020105A10302010EA2070305...
                    krb5_tok_id: KRB5_AP_REQ (0x0001)
                    Kerberos AP-REQ
                         Pvno: 5
                         MSG Type: AP-REQ (14)
                         Padding: 0
                         APOptions: 20000000 (Mutual required)
                              .0.. .... .... .... .... .... .... ....
= Use Session Key: Do NOT use the session key to encrypt the ticket
                              ..1. .... .... .... .... .... .... ....
= Mutual required: MUTUAL authentication is REQUIRED
                         Ticket
                              Tkt-vno: 5
                              Realm: LINUX.LOCAL
                              Server Name (Service and Host):
ldap/linuxdc.linux.local
                                   Name-type: Service and Host (3)
                                   Name: ldap
                                   Name: linuxdc.linux.local
                              enc-part rc4-hmac
                                   Encryption type: rc4-hmac (23)
                                   Kvno: 2
                                   enc-part:
1648F15B206A9CE45BA2BFE241AD64662199F48767CFDA4F...
                         Authenticator rc4-hmac
                              Encryption type: rc4-hmac (23)
                              Authenticator data:
7162B1762F025853E4C4F380EA44DD04F960B4AF27660FA2...


4. Lightweight Directory Access Protocol, Bind Result
     Message Id: 2
     Message Type: Bind Result (0x01)
     Message Length: 145
     Response To: 1
     Time: 0.000811000 seconds
     Result Code: saslBindInProgress (0x0e)
     Matched DN: (null)
     Error Message: (null)
     GSS-API Token
          GSS-API
               OID: 1.2.840.113554.1.2.2 (iso.2.840.113554.1.2.2)
(KRB5 - Kerberos 5)
               krb5_blob: 02006F743072A003020105A10302010FA2663064A0030201...
                    krb5_tok_id: KRB5_AP_REP (0x0002)
                    Kerberos AP-REP
                         Pvno: 5
                         MSG Type: AP-REP (15)
                         enc-part rc4-hmac
                              Encryption type: rc4-hmac (23)
                              enc-part:
83EDCC454952FF26E72D16EFE7A3FA9BDDADBAE9C3B3B9E7...


so everything seems to be just fine except for the last packet where
it says      Result Code: saslBindInProgress (0x0e). In my opinion it
should be something like success (0x00) or similar :)

and again I do a klist -e -5 and here is what I have now:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser2@LINUX.LOCAL

Valid starting     Expires            Service principal
10/24/05 11:06:19  10/24/05 21:06:19  krbtgt/LINUX.LOCAL@LINUX.LOCAL
        renew until 10/24/05 21:06:19, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
10/24/05 11:09:59  10/24/05 21:06:19  ldap/linuxdc.linux.local@LINUX.LOCAL
        renew until 10/24/05 21:06:19, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5

so the kerberos part should be fine right? At least I have permission
to use the ldap service.. ticket is present.

Can anyone throw some light on this?

best regards,
Roman