[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearch using GSSAPI failed to run from other machine ...
- To: Dan White <dwhite@olp.net>, openldap-software@openldap.org
- Subject: Re: ldapsearch using GSSAPI failed to run from other machine ...
- From: huican ping <pinghuican@gmail.com>
- Date: Thu, 11 Feb 2010 12:52:02 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=0Z/64uDN4NkCFloW5xM4LlWOIbopTcSoiC1iDSU2sHQ=; b=gkPpX9MDmJ5Z5eVpZsTc0rj2DG6antdUg1K5AUlJewavaT88aN1by/hAcGpQPLrMHc bYNKz34iCW91C0HFT+aQlNoaG3yShjv+JeiWzeghkyGy5Tfs1T2U2gUDnRD/1equpXMk HpLuvd6Q7+qZZwixdEQRYIE9Z7MviSWPuyPRo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=qR/1NHfYBCpUbB8d7o98hC8MlG/A3YaGfW8naAdXUqa/9b19Un2KvwbgdDD1hTpnfv pJMCFpiMJvF5MG6O8sAsQc0STZ6O9sU3oF91KAGffDueN0eLKxQkdqW8oNxXUtoy67QH v2cD3zqQsG1SG3TKT/ScTjd3MdKKGLKPivAmw=
- In-reply-to: <20100211183850.GC5446@dan.olp.net>
- References: <cfaf6bb71002102141h7daaad80sf7bfa6494726cd66@mail.gmail.com> <20100211183850.GC5446@dan.olp.net>
Hello Dan,
Sorry for my ignorance on openldap GSSAPI mechanism, and just now, I
tried and I think I found why.
On another machine, I need to config the realms in /etc/krb5.conf, so
the machine knows where the kdc is.
After that, I ran "kinit user", and then ldapsearch worked fine.
Thank you a lot for your reply.
On Thu, Feb 11, 2010 at 12:38 PM, Dan White <dwhite@olp.net> wrote:
> On 10/02/10 23:41 -0600, huican ping wrote:
>>
>> This is a dummy question. I just newly contacted with sasl+krb5 with
>> ldap. Can anyone else kindly people tell me how to make ldapsearch
>> working from other machine? E.g, what kind of setup/procedure I should
>> do on the other machine before I can do ldapsearch with gssapi
>> effectively?
>
> http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
>
>> Output when run on the different machine
>> =============================
>> /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001
>> -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>> additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information
>> (Unknown code krb5 7)
>
> I don't know what "Unknown code krb5 7" means, but I would make sure:
>
> You have a local credentials cache (klist)
> You have received a ticket for the LDAP service pricipal
> You are referencing the server using the same name as its service principal
> You have forward and reverse DNS setup for both the server and client
>
> I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend
> referencing the server by DNS name, unless the server really is using a
> service principal with that IP address.
>
> --
> Dan White
>