[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi service principal





--On Wednesday, November 30, 2005 2:12 PM -0600 Alex Moore <asmoore@edge.net> wrote:

On Wed, 30 Nov 2005 08:20:59 -0800
Quanah Gibson-Mount <quanah@stanford.edu> wrote:

I would imagine there is something wrong with your kerberos
configuration then.

Mine are all correctly defined:

I am sure there is some truth in that statement somewhere:>

I have used kerberos for login, nfs on a couple of shares and even the
occasional telnet for a few years now.  So kerberos itself should be
good.

For ldap, I built a keytab file with only one entry.  Like
ldap/hostname.my.domain@MY.REALM.  Running ldapsearch without -x and
looking at truss, I see an attempt to get a ticket with ldap/hostname,
but no attempt using the fully qualified name.  I put the keytab in
ldap's sysconfdir directory, gave the slapd daemon user 0600 rights and
ownership and added a 'keytab: <pathname>' entry in the
lib/sasl2/slapd.conf file.  That was all strictly a guess.  slapd does
not run with root permissions.

That is why I asked my question.  I know something is setup or built
incorrectly.  I just do not know where to start.

I have not built the sasl server/client example to verify that sasl is
good, but that seemed to be something to do after I got this principal
issue resolved.

You really need to get the SASL server/client working *first*. It is the SASL code that determines what OpenLDAP looks for, not the other way around.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html