[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slapd authenticating with krb5 localhost principal

Hi folks,
My new Debian stretch slapd consumer configuration is suffering from a Kerberos authentication problem that looks like a bug. It is apparently unable to read the Kerberos keytab file and instead authenticates to its provider as (for my realm) ldap/localhost@EXAMPLE.COM. The error I keep getting is: 

  slapd[1668]: GSSAPI Error: Unspecified GSS failure. \
  Minor code may provide more information \
  (Server ldap/localhost@EXAMPLE.COM not found in Kerberos database)

The software I'm using is:
* Debian stretch
* MIT Kerberos 1.15-1
* slapd 2.4.44+dfsg-3
* libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3
The usual way to get slapd to use a Kerberos principal to authenticate to a provider is by telling it where the Kerberos key table file is. On Debian systems, slapd looks in a default location first (/etc/krb5.keytab), but an alternate keytab can be set in /etc/default/slapd with e.g.: 

  export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab
Just ensure that the openldap group can read the keytab file. This works on Debian wheezy with slapd 2.4.31-2+deb7u2, but for some reason it's not working at all on Debian stretch. 

Other things I have checked are:
* /etc/hostname
* hostnamectl status
* /etc/hosts (contains only '127.0.0.1 localhost' and linklocal addresses)
* DNS forward and reverse lookups
So, is this a slapd problem, or maybe something to do with a SASL/GSSAPI library, such as libsasl2-modules-gssapi-mit? 

Thanks,

Jaap