Re: Heimdal-Kerberos service

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, February 16, 2006 6:35 PM +0100 gilles@ffii.org wrote:

> Hello.
>
> Here is something that might deserve a note in the "11.2.1. GSSAPI"
> section of the sysadmin guide.
>
> Trying:
>
> $ ldapwhoami -H ldap://db -Y GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
> In the "slapd" log, one can see that a "kvno 1" is looked for:
>
> 2006-02-16_14:03:12.81305 SASL [conn=0] Failure: GSSAPI Error:
> Miscellaneous failure (see text) (failed to find
> ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG(kvno 1) in keytab
> FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96))
>
> But it's version "2" in the keytab file:

I'm guessing this was cached in YOUR ticket cache file.  See "klist".  You 
need to renew your kerberos tickets after updating the keytab on the server 
if a ticket from the previous kvno exists in your ticket cache.

Note that this is NOT an LDAP question but a Kerberos question.

> 1. Why is the "ldap" part in the principal name
>      ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG
>    hard-coded? [I had tried with another "prefix", and being stuck
>    until told, on the "cyrus-sasl" ML, that I couldn't.]

Because the first part is for the service being used? (i.e., ldap for the 
LDAP server?).

> 2. Why can't the "kvno" be changed?

See above.  I suggest directing further questions about how kerberos 
operations to a suitable kerberos related list.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html