[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenLDAP / SASL / Heimdal
Andreas Haupt wrote:
>Am Montag, 7. Juni 2004 12:42 schrieb Andreas Haupt:
>
>
>>Hello,
>>
>>I'm trying to setup OpenLDAP with SASL2 and Heimdal. When trying to
>>authenticate I get the following error in the log files:
>>
>>2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
>>dice.hmi.de@HMI.DE
>>2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
>>dice.hmi.de@HMI.DE
>>2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
>>request
>>2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
>>request
>>2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>>2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>>
>>I don't have a clue what this means and how I can avoid the problem...
>>Heimdal server is version 0.6 (SuSE 9.0).
>>
>>
>
>It seems this is related to the latest security update done by SuSE. After
>downgrading I got another (not so crypted) error:
>
>blh@dice:~> ldapsearch -x -H ldap://dice.hmi.de/ -b "" -s base -LLL
>supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: GSSAPI
>
>blh@dice:~> ldapwhoami -H ldap://dice.hmi.de/ -D "cn=dice,dc=hmi,dc=de" -Y
>GSSAPI
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): authentication failure: GSSAPI
>Failure: gss_accept_sec_context
>blh@dice:~> klist
>Credentials cache: FILE:/tmp/krb5cc_10296
> Principal: blh@HMI.DE
>
> Issued Expires Principal
>Jun 7 13:07:21 Jun 8 14:07:21 krbtgt/HMI.DE@HMI.DE
>Jun 7 13:32:38 Jun 8 14:07:21 ldap/dice.hmi.de@HMI.DE
>blh@dice:~>
>
>So I got a ticket. The rest is hopefully not complicated...
>
>Greetings
>Andreas
>
>
>
Can you test whether uesr blh can login to blh itself first? like this:
blh$ telnet -ax -l blh dice.hmi.de
The login should go ahead without asking blh's password.
Also keep track of yoru kerberos log file while doing the above test. In
my system I used the following command to keep track of the kerberos log
file:
tail -f /var/log/krb5kde.log
If you don't see any message written to the log file while doing telnet
-ax to dice, your kerberos server is not working.
If the telnet -ax is working without typing password, re-populate your
ldif file with the followoing entries:
==== cut this to your file as rootdn.ldif ==========
dn: dc=dice,dc=hmi,dc=de
objectClass: dcObject
objectClass: organization
dc: dice
o: My Play Ground
description: My Play Ground LDAP Database
# Administrative user for SoM Ldap database
dn: cn=root,dc=dice,dc=hmi,dc=de
objectClass: organizationalRole
cn: root
description: SuperUser for Ldap Services
============end if rootdn.ldif==================
In your DNS setup, make sure dice is the offical host name not a CNAME.
sam