[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: gssapi service principal
On Wed, 30 Nov 2005 08:20:59 -0800
Quanah Gibson-Mount <quanah@stanford.edu> wrote:
> I would imagine there is something wrong with your kerberos
> configuration then.
>
> Mine are all correctly defined:
I am sure there is some truth in that statement somewhere:>
I have used kerberos for login, nfs on a couple of shares and even the
occasional telnet for a few years now. So kerberos itself should be
good.
For ldap, I built a keytab file with only one entry. Like
ldap/hostname.my.domain@MY.REALM. Running ldapsearch without -x and
looking at truss, I see an attempt to get a ticket with ldap/hostname,
but no attempt using the fully qualified name. I put the keytab in
ldap's sysconfdir directory, gave the slapd daemon user 0600 rights and
ownership and added a 'keytab: <pathname>' entry in the
lib/sasl2/slapd.conf file. That was all strictly a guess. slapd does
not run with root permissions.
That is why I asked my question. I know something is setup or built
incorrectly. I just do not know where to start.
I have not built the sasl server/client example to verify that sasl is
good, but that seemed to be something to do after I got this principal
issue resolved.
Thanks, Alex