[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
GSSAPI Bind across trusted realms
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have REALM.A and REALM.B in my KDC setup. There is a two way trust between REALM.A and REALM.B.
I have a client computer on REALM.A, and can correctly kinit to get tickets from both realms via this trust pathway.
I also have an OpenLDAP server on the server with REALM.B, and it is identified by ldap/ldap.realm.b@REALM.B
When i obtain a ticket on REALM.A via this , and try to execute a SASL bind to the ldap server, i get an error of
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
It says that Minor code may provide more information (Server ldap/ldap.realm.b@REALM.B not found in Kerberos database).
A user from REALM.B can access the LDAP server correctly with GSSAPI
klist shows that i am getting a TGT for both REALM.A and REALM.B on my user@REALM.A.
Is this an issue with kerberos being unable to find the ticket across the realm trust for ldap to be verified? What steps can i follow to help fix this issue? Are there principal flags that i am forgetting to add to my LDAP principal for this to work?
Your help is appreciated.
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJMiF0cAAoJEHF16AnLoz6J6mIP/0Jnfw8vG13LyOlv2gm3zwrF
psHWASKmzaPngS0c7nbNSDDWi6jZJXogP9kF8uI/JQibUlYJb9TtfiG1K7l6yMol
/jD8l3TGVy/VBrG6Yk0sqiQeHn52IaPTXv/xk0a8o6rk/wAUFzEnXH3+K/oRg+4A
+Z5WHWHsdz73QBkMRVE+IY+IHwUB+GoglyocZmnQBjigU+2+So2hhlxp8XqmZPSZ
jke2yk375LXHgv8/cppIIx3YV5VtvMe/O/lQoptBl39D8Y7CFwJsuQqGtyTRQVJh
PpnMDARhqR+UKqJeZRksQLUeFZhQYzLWpTStm/8NhYAVBhTF32NPwgkcv5LohUdH
yK3TCjvPodXCs27kGFX2s20tpFjLfpnx+gzyCTRQbbygPR4/Nn+11kmqDlrC05fW
GpUOA8aknL7J6tN5twlO/wHtIaIvTPP4MmDD9DlS6OtNbBtaumDrS6ehWQ0j4FlA
IfK+eHwIRgvjxCGa7N9S7jv5ZqxkAyeVArWWJczcCL6qKij7Zgh0w8nvzMTJq1Jj
TwYK9O8RHL0d66NSFs2sTaEUZECnYA29oh6XppmvaOUdI5JOzQ4keG6xhTieRPBx
Tdkq/1B51nl6EfJTu4fLOKfRz2UnOY2Uvms+2qdH0cZZIhOu98I3BsSdKhUgPtAB
kZoLSAwYj33BL/KU/8Yj
=RZcN
-----END PGP SIGNATURE-----