|
Hi,
Thanks for you input, but the kadmin princ wasn't the problem. The kadmin entry is correct. > Date: Fri, 18 Nov 2011 15:27:04 +0100 > From: daff@pseudoterminal.org > To: raffi.sahli@hotmail.com > Subject: Re: OpenLDAP SASL Passthrough > CC: openldap-technical@openldap.org > > On 18/11/11 12:03, Raffael Sahli wrote: > > I'm pretty sure the problem is not kerberos! > > Hi, > > I just had virtually the same problem with virtually the same error > messages and symptoms on an authentication server based on MIT Kerberos, > OpenLDAP and SASL. I was banging my head against the wall because > everything was configured exactly right, identical to two other systems > I set up recently that work just fine. > > Keytab entries were correct, DNS resolution worked forwards and reverse, > permissions and group memberships were correct as well, testsaslauth > never complained, etc. There was no reason for SASL pass-through not to > work. > > Turns out the problem was DNS-related after all. When creating the > realm, various internal principals are added, one of those is (or should > be) "kadmin/auth01.example.com@REALM" (auth01.example.com being the FQDN > of the Kerberos server). For some reason--probably a rogue entry in > /etc/hosts--this principal was created as "kadmin/auth01@REALM", i.e. > containing only the hostname, not the FQDN. Took me a whole week to > figure that out. > You might want to check your Kerberos principal names and see if you > might have ran into a similar problem. > > HTH > > Andreas > |