[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preauth error ldap heimdal kerberos



On Monday, 22 March 2010 11:49:02 Μανόλης Βλαχάκης wrote:
> Hallo there and thank you for your answer
> i finally made it

Made what?

> and moved on but now i face other problem.

Are you sure? It look like the same problem, but the error message is different 
because you made different mistakes in testing.

> 
> when i do like :
> *ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
> 
> and although i set up to require a password (on the sasl config )
> 
> and i get something like that:
> 
> *SASL/GSSAPI authentication started*
> *ldap_sasl_interactive_bind_s: Insufficient access (50)*
> *        additional info: SASL(-14): authorization failure: not authorized*
> *
> *

A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have a 
Kerberos TGT, or valid service tickets. Please show the output of 'klist'


> or when i use any other command client side i have full access to the tree
> with no password required

Which problem are we trying to solve? The GSSAPI bind, or the access lists? If 
you want GSSAPI bind, maybe you should concentrate on it first, as your access 
lists may be different for the case where you have GSSAPI working vs not.

(please consider replying in-line, with your replies in the right section of 
the mail, and drop any irrelevant portions).

> 2010/3/19 Dan White <dwhite@olp.net>
> 
> > On 19/03/10 12:39 +0200, Μανόλης Βλαχάκης wrote:
> >> Hallo there everyone
> >>
> >> i hope you can help me with my issue cause it really bothers me for a
> >> week
> >>
> >> i set up an ldap on gentoo and after modifying heimdal kerberos and tls
> >> i am stuck to that point:
> >> i get these errors...
> >>
> >> additional info: SASL(-13): authentication failure: GSSAPI Failure:
> >> gss_accept_sec_context
> >>
> >> +
> >>
> >> AS-REQ host/proof.teipir.gr@TEIPIR.GR <http://teipir.gr/> from
> >>
> >> IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
> >> <http://teipir.gr/>@TEIPIR.GR<http://teipir.gr/>
> >>
> >> 2010-03-18T16:32:58 Client sent patypes: none
> >> 2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@
> >> TEIPIR.GR <http://teipir.gr/>
> >>
> >> 2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED --
> >> host/ proof.teipir.gr@TEIPIR.GR <http://teipir.gr/>
> >>
> >> 2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12
> >
> > Is there one host involved or two, and do they both have valid credential
> > caches (klist)?
> >
> > Does your openldap user have access to /etc/krb5.keytab? What does your
> > cyrus sasl config look like (if it exists)?
> >
> > Assuming you're using an ldapsearch command from the client, what options
> > are you passing?
> >
> > Do you have any custom SASL config items in your openldap config
> > (sasl-host, sasl-realm or sasl-secprops)?


Regards,
Buchan