[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP / SASL / Heimdal

To: sam <samwun@hgcbroadband.com>
Subject: Re: OpenLDAP / SASL / Heimdal
From: Andreas Haupt <andreas.haupt@hmi.de>
Date: Mon, 7 Jun 2004 13:10:59 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <40C44B3F.9020604@hgcbroadband.com>
Organization: Hahn-Meitner-Institut
References: <200406071242.01432.andreas.haupt@hmi.de> <40C44B3F.9020604@hgcbroadband.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.5.4

Am Montag, 7. Juni 2004 13:02 schrieb sam:
> Andreas Haupt wrote:
> >Hello,
> >
> >I'm trying to setup OpenLDAP with SASL2 and Heimdal. When trying to
> >authenticate I get the following error in the log files:
> >
> >2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
> >dice.hmi.de@HMI.DE
> >2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
> >dice.hmi.de@HMI.DE
> >2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
> >request
> >2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
> >request
> >2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
> >2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
> >
> >I don't have a clue what this means and how I can avoid the problem...
> >Heimdal server is version 0.6 (SuSE 9.0).
> >
> >Greetings
> >Andreas
>
> As root, execute command "ktutil list" to see whether you have
> ldap/dice.hmi.de@HMI.DE.
> and add user blh use kadmin. Then su - blh, and kinit, then try again.

dice:~ # ktutil list
FILE:/etc/krb5.keytab:

Vno  Type           Principal              
  1  des-cbc-crc    host/dice.hmi.de@HMI.DE
  1  des-cbc-md4    host/dice.hmi.de@HMI.DE
  1  des-cbc-md5    host/dice.hmi.de@HMI.DE
  1  des3-cbc-sha1  host/dice.hmi.de@HMI.DE
  1  des-cbc-crc    ldap/dice.hmi.de@HMI.DE
  1  des-cbc-md4    ldap/dice.hmi.de@HMI.DE
  1  des-cbc-md5    ldap/dice.hmi.de@HMI.DE
  1  des3-cbc-sha1  ldap/dice.hmi.de@HMI.DE

krb4:/etc/srvtab:

Vno  Type         Principal              
  1  des-cbc-md5  host/dice.hmi.de@HMI.DE
  1  des-cbc-md4  host/dice.hmi.de@HMI.DE
  1  des-cbc-crc  host/dice.hmi.de@HMI.DE
  1  des-cbc-md5  ldap/dice.hmi.de@HMI.DE
  1  des-cbc-md4  ldap/dice.hmi.de@HMI.DE
  1  des-cbc-crc  ldap/dice.hmi.de@HMI.DE
dice:~ # ll /etc/krb5.keytab
-rw-r-----  1 root ldap 498 Jun  4 14:21 /etc/krb5.keytab

blh@dice:~> kinit blh                                          
blh@HMI.DE's Password: 
blh@dice:~> klist -v
Credentials cache: FILE:/tmp/krb5cc_10296
        Principal: blh@HMI.DE
    Cache version: 4

Server: krbtgt/HMI.DE@HMI.DE
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Jun  7 13:07:21 2004
End time:   Jun  8 14:07:21 2004
Renew till: Jul  7 13:07:21 2004
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:134.30.5.92

blh@dice:~> ldapsearch '(&(objectClass=ipHost)(cn=www.hmi.de))'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  
Miscellaneous failure (see text) (KDC policy rejects request)
blh@dice:~> 

I hope this helps. For me everything looks ok... The keytab is readable by 
the group ldap to let slapd read it (runs with uid/gid ldap).

Greetings
Andreas

-- 
| Andreas Haupt                    | E-Mail:  andreas.haupt@hmi.de
| Hahn-Meitner-Institut (DN)       | WWW:
| Glienicker Straße 100            | Phone:   +49/30/8062-2597
| 14109 Berlin                     | Fax:     +49/30/8062-2096

Follow-Ups:
- Re: OpenLDAP / SASL / Heimdal
  - From: sam <samwun@hgcbroadband.com>

References:
- OpenLDAP / SASL / Heimdal
  - From: Andreas Haupt <andreas.haupt@hmi.de>
- Re: OpenLDAP / SASL / Heimdal
  - From: sam <samwun@hgcbroadband.com>

Prev by Date: Re: OpenLDAP / SASL / Heimdal
Next by Date: Re: OpenLDAP / SASL / Heimdal
Prev by thread: Re: OpenLDAP / SASL / Heimdal
Next by thread: Re: OpenLDAP / SASL / Heimdal
Index(es):
- Date
- Thread