|
Yes, I can kinit,
I already tried making /etc/krb5.keytab world readable, it did not
change the "No such file" error. However, should it be owned by root or my
slapd user?
[root@trixter ~]# ll /etc/krb5.keytab
-rw-r--r-- 1 root root 712 2008-01-15 13:00 /etc/krb5.keytab The logs I check are /var/log/messages slapd and
krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX
errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those.
This did not stop the error. I guess I'll try turning SELINUX off, and see if
that makes any difference.
BTW: Here's the command with debug on:
[installer@trixter ~]$
ldapwhoami -V -d 1 -Y GSSAPI
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3.34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.3:11562 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=trixter.hymesruzicka.org SASL/GSSAPI authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 589 bytes to sd 3 ldap_result ld 0x8d82038 msgid 1 ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL wait4msg ld 0x8d82038 msgid 1 (infinite timeout) wait4msg continue ld 0x8d82038 msgid 1 all 1 ** ld 0x8d82038 Connections: * host: trixter.hymesruzicka.org port: 11562 (default) refcnt: 2 status: Connected last used: Wed Jan 16 10:11:11 2008 ** ld 0x8d82038 Outstanding
Requests:
* msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8d82038 Response Queue: Empty ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL ldap_int_select read1msg: ld 0x8d82038 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 148 contents: read1msg: ld 0x8d82038 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x8d82038 0 new referrals read1msg: mark request completed, ld 0x8d82038 msgid 1 request done: ld 0x8d82038 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory) From: openldap-software-bounces+listbox=hymerfania.com@OpenLDAP.org [mailto:openldap-software-bounces+listbox=hymerfania.com@OpenLDAP.org] On Behalf Of Amir Saad Sent: Tuesday, January 15, 2008 11:15 PM To: Listbox; openldap-software@openldap.org Subject: RE: LDAP config problem with GSSAPI: No such file or directory Thank you Amir > From: listbox@hymerfania.com > To: openldap-software@openldap.org > Subject: LDAP config problem with GSSAPI: No such file or directory > Date: Tue, 15 Jan 2008 14:52:07 -0800 > > Hi folks, > I'm having a real hard time debugging this. > I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7 > box. I can't get ldapsearch or ldapwhoami to work locally. I thought it was > a read problem with the keytab files, but I tried setting KRB5_KTNAME to a > keytab file I knew ware readable by slapd, and that did not help. I clso > check permissions on my certificates, and that seems OK too. ldapsearch -x > does work, but ldapsearch -Y GSSAPI does! not. > > Any help would be greatly appreciated :) > ******************************************* > ******************************************* > > [installer@trixter ~]$ ldapwhoami -V -Y GSSAPI > ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ > > kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 > .34/openldap-2.3.34/build-clients/clients/tools > (LDAP library: OpenLDAP 20333) > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more > information (No such file or directory) > > ******************************************* > ******************************************* > > [installer@trixter ~]$ klist > Ticket cache: FILE! :/tmp/krb5cc_500 > Default principal: installer@HYMESRUZICKA.ORG > > Valid starting Expires Service principal > 01/15/08 13:11:43 01/16/08 13:11:43 > krbtgt/HYMESRUZICKA.ORG@HYMESRUZICKA.ORG > 01/15/08 13:12:35 01/16/08 13:11:43 > ldap/trixter.hymesruzicka.org@HYMESRUZICKA.ORG > > > Kerberos 4 ticket cache: /tmp/tkt500 > klist: You have no tickets cached > > ******************************************* > ******************************************* > > [installer@trixter ~]$ cat /etc/openldap/ldap.conf > # > # LDAP Defaults > # > # This file should be world readable but not world writable. > BASE dc=hymesruzicka,dc=org > URI ldap://trixter.hymesruzicka.org:11562 > ldaps://trixter.hymesruzicka.org:636 > TLS_CACERTDIR /etc/openldap/cacerts/ > TLS_REQCERT allow > #SIZELIMIT 12 > TIMELIMIT 5 > #DEREF never > > > ****! *************************************** > ******************************************* > > > ******************************************* > ******************************************* > > > I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not > show which resource is not accessable. Actually I'm surprized that strace > does no show any attempts to open the keytabs or anything in > /etc/openldap/cacerts... > > > Thanks! > > Listbox > > Express yourself instantly with MSN Messenger! MSN Messenger |