[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Help with SASL generic GSSAPI error
- To: openldap-technical@openldap.org
- Subject: Help with SASL generic GSSAPI error
- From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Date: Mon, 12 May 2014 20:52:14 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=HQ9YLwXJcQVy6xt6Py+/ZmYoNj9eYTm1a4id7tRki2I=; b=ZbpMuMOlMr/s41w//sTX6DxoWrwU1ZXHQoUyspHsP9vvLeTsYHBaW8coNowG6qFqbQ Agqo+0lTkBZhapFk516CU4qeaGJBEax49Jv1LsFPeq9V20AwFXCDzZ4gqslbaB+DHVVV 5zaSs7JNZGF34Q0wr97x4N+VrTC14cZuzzEAMEDknRC6SzLbqvOS9Z6cJKua52DVbuxK 40g3zNF53CjOrkibNU+qjaApJA9GTLOMRQFHam+f9xFXCBqWYqcEXh24lkCxF8raHU9l DCG9EjKCILAH7+TrIwXPVVWLU55AOzDWAuhsbpLX0F6vHHHEjpACvWX4sumVMDZpPPWq W+Jw==
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0
I'm looking for a little help concerning the below
error I get when I do an ldapsearch:
root@mytest:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation
specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
()
That error is pretty generic to me and the searching I've done to
find a solution has not yielded anything successful. I have MIT
Kerberos and SASL setup and I'm able to successfully get a TGT
from any machine that can see my KDC. I also can successfully
search my ldap directory using simple authentication. I've run
the sasl-sample-client and server between several machines
including: ldap server to krb server, test server to krb server,
test server to ldap server, etc. I can complete the sasl test on
every one. Running slapd in debug mode doesn't provide me with
any additional information:
root@baneling:~# slapd -h "ldap:/// ldapi:///" -d 256
5371865b @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $
root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
5371865c slapd starting
53718672 conn=1000 fd=13 ACCEPT from IP=10.1.10.10:53839
(IP=0.0.0.0:389)
53718672 conn=1000 op=0 BIND dn="" method=163
53718672 SASL [conn=1000] Failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information ()
53718672 conn=1000 op=0 RESULT tag=97 err=80 text=SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information ()
53718672 conn=1000 op=1 UNBIND
53718672 conn=1000 fd=13 closed
53718672 connection_read(13): no connection!
I do have the keytab in a non-standard location on the ldap server
(/etc/ldap/ldap.keytab), so I modified /etc/default/slapd and
restarted slapd. I'm not really sure what I can provide from my
cn=config that would help diagnose this issue let me know and I
can respond with the details.
Here is my ldap.conf from the server I'm running the ldapsearch
from (my test server):
root@mytest:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=harmonywave,dc=com
URI ldap://baneling.harmonywave.com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca.harmonywave.com.pem
TLS_REQCERT demand
TLS_CHECKPEER yes
TLS_CIPHER_SUITE SECURE256
# LDAP sudo settings
sudoers_base ou=SUDOers,dc=harmonywave,dc=com
# SASL Kerberos settings
SASL_MECH GSSAPI
SASL_REALM HARMONYWAVE.COM
Thanks,
Josh