[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi service principal



On Wed, 30 Nov 2005 08:20:59 -0800
Quanah Gibson-Mount <quanah@stanford.edu> wrote:

> I would imagine there is something wrong with your kerberos
> configuration then.
> 
> Mine are all correctly defined:

I am sure there is some truth in that statement somewhere:>

I have used kerberos for login, nfs on a couple of shares and even the
occasional telnet for a few years now.  So kerberos itself should be
good.

For ldap, I built a keytab file with only one entry.  Like
ldap/hostname.my.domain@MY.REALM.  Running ldapsearch without -x and
looking at truss, I see an attempt to get a ticket with ldap/hostname,
but no attempt using the fully qualified name.  I put the keytab in
ldap's sysconfdir directory, gave the slapd daemon user 0600 rights and
ownership and added a 'keytab: <pathname>' entry in the
lib/sasl2/slapd.conf file.  That was all strictly a guess.  slapd does
not run with root permissions.

That is why I asked my question.  I know something is setup or built
incorrectly.  I just do not know where to start.

I have not built the sasl server/client example to verify that sasl is
good, but that seemed to be something to do after I got this principal
issue resolved.

Thanks, Alex