[Date Prev][Date Next] [Chronological] [Thread] [Top]

Heimdal-Kerberos service

To: OpenLDAP-software@OpenLDAP.org
Subject: Heimdal-Kerberos service
From: gilles@ffii.org
Date: Thu, 16 Feb 2006 18:35:19 +0100
Content-disposition: inline
User-agent: Mutt/1.5.9i

Hello.

Here is something that might deserve a note in the "11.2.1. GSSAPI"
section of the sysadmin guide.

Trying:

$ ldapwhoami -H ldap://db -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

In the "slapd" log, one can see that a "kvno 1" is looked for:

2006-02-16_14:03:12.81305 SASL [conn=0] Failure: GSSAPI Error:  Miscellaneous failure (see text) (failed to find ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG(kvno 1) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96))

But it's version "2" in the keytab file:

# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal
  2  des-cbc-md5              ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
  2  des-cbc-md4              ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
  2  des-cbc-crc              ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
  2  aes256-cts-hmac-sha1-96  ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
  2  des3-cbc-sha1            ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
  2  arcfour-hmac-md5         ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG

I'm using "Heimdal" Kerberos, and the keytab was updated with

# ktutil get -p eran/admin ldap/db.harfang.homelinux.org

which, if I understood correctly, seems to be responsible for the
"kvno" change; while the "ext" sub-command doesn't modify it.

And, indeed, deleting the "ldap" principal, re-creating it, and using
"ext" to update the keytab, I now get a response from "slapd":

$ ldapwhoami -H ldap://db -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: eran@HARFANG.HOMELINUX.ORG
SASL SSF: 56
SASL installing layers
dn:uid=eran,cn=gssapi,cn=auth

Two (probably similar) questions still:

1. Why is the "ldap" part in the principal name
     ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
   hard-coded? [I had tried with another "prefix", and being stuck
   until told, on the "cyrus-sasl" ML, that I couldn't.]

2. Why can't the "kvno" be changed?


Thanks,
Gilles

Follow-Ups:
- Re: Heimdal-Kerberos service
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Heimdal-Kerberos service
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: LDAP Client API
Next by Date: LDAP Bind request seen many times in network trace
Index(es):
- Chronological
- Thread