[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL/GSSAPI: ldap_sasl_interactive_bind_s: Local error (-2)
Cameron Harris wrote:
On Sun, Dec 14, 2008 at 3:34 PM, Michael StrÃder <michael@stroeder.com
<mailto:michael@stroeder.com>> wrote:
Cameron Harris wrote:
> On Sun, Dec 14, 2008 at 11:31 AM, Michael StrÃder
<michael@stroeder.com <mailto:michael@stroeder.com>
> <mailto:michael@stroeder.com <mailto:michael@stroeder.com>>> wrote:
>
> > Did you obtain a TGT before? What's the output of command klist?
>
> I did obtain a TGT with kinit:
Hmm, I vaguely remember having to use "kinit -A" to avoid the
local error.
Ciao, Michael.
Didn't work, unfortunately.
Same error. :(
Cameron Harris
Cameron,
Here are some sanity checks to try:
Query your LDAP server to make sure that it is offering GSSAPI:
ldapsearch -H ldap://ldap.example.net -x -b "" -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
If GSSAPI is not listed, verify configuration on the server. Check that
the GSSAPI SASL mechanism is installed:
~# pluginviewer | grep -i gssapi
pluginviewer: SASL Other: OTP: auxprop backend can't store properties
LOGIN DIGEST-MD5 NTLM GSSAPI OTP PLAIN ANONYMOUS CRAM-MD5 EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
LOGIN DIGEST-MD5 NTLM GSSAPI OTP PLAIN ANONYMOUS CRAM-MD5 EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
Verify configuration of your slapd.conf SASL config:
~# cat /usr/lib/sasl2/slapd.conf
keytab: /etc/krb5.keytab-ldap
pwcheck_method: auxprop saslauthd
auxprop_plugin: slapd
(The location of your SASL slapd.conf config is dependant on how your
SASL libraries are compiled). Your config doesn't have to match mine.
You might want to explicitly set the location of your keytab, and verify
that you do not have a restricive 'mech_list'. *If* you have a mech_list
defined, make sure it includes GSSAPI.
If your server config looks Ok, verify that you have the GSSAPI
mechanism installed correctly on your client system with the (Cyrus
SASL) pluginviewer command.
Verify that you are retrieving the ldap/ldap.local@LOCAL service ticket
from the KDC on your client (with klist). If not, you may not not be
specifying a fully qualified domain name in your URI statement within
your ldap.conf config. Make sure your URI statement is a FQDN (and not
an IP address or ldapi:///) or that you're specifying one within the
ldapsearch statement.
Most likely the error you're receiving can be traced down to a Cyrus
SASL or Kerberos misconfiguration. Check your syslog and auth.log on the
server and client for possible additional errors.
- Dan