[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cross Realm HELP

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: Cross Realm HELP
From: Jeremiah Martell <inlovewithgod@gmail.com>
Date: Wed, 12 Oct 2005 12:56:09 -0400
Cc: heimdal-discuss@sics.se
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=LoX5GAer9+fgTLwlMEEyeOlqnM6JLeyrdOLuH5aFlpM0R8umV36p0bH1btKsIM6Lj2MIFkerY6lU79lDb8k0DDc5+IBl5b6x5nDIbNYuP1GQURI5WbGmKCeJfyiif5dR7g31RTNo+iMdz/Wz/9FMUsfbYmgMRhOnS7Q+/joTbM8=
In-Reply-To: <m23bn719d8.fsf@c80-217-232-48.cm-upc.chello.se>
References: <233eb3005092009487d6ab559@mail.gmail.com> <20050921025701.GA15992@dsl092-173-085.wdc2.dsl.speakeasy.net> <233eb3005092105451a5c815a@mail.gmail.com> <20050922141813.GA20580@dsl092-173-085.wdc2.dsl.speakeasy.net> <233eb30050923081325656768@mail.gmail.com> <20050924230731.GA28302@dsl092-173-085.wdc2.dsl.speakeasy.net> <233eb300510111049t7455070xeffacd82ad03f8fd@mail.gmail.com> <233eb300510111228i45c794f2h61cad5dbe8aa2095@mail.gmail.com> <m23bn719d8.fsf@c80-217-232-48.cm-upc.chello.se>
Sender: owner-heimdal-discuss@sics.se

The error I get from ldapsearch is:

ldap_sasl_interactive_bind: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/.@REALMA.COM) unknown)

I've tried stracing and ldd'ing ldapsearch and I noticed that it's not linked to certain libraries I would think it would be.

A "native" ldapsearch I checked was linked to the following libraries:
libldap
liblber
libdl
libssl
libcrypto
libcrypt
libresolv
libc
libgssapi_krb5
libkrb5
libcom_err
libk5crypto
libz

However, the ldapsearch I build is only linked to the following libraries:
linux-gate
libpthread
libsasl2
libbind
libc
lib/ld-linux
libdl
libresolv
libnsl

Quite a difference.

I'm guessing that I'm doing something wrong when I'm building heimdal, then cyrus-sasl, then openldap.

My hiemdal steps:
(1) ./configure --with-openssl=/code/openssl-0.9.7c/ssl-inst --with-openssl-lib=/code/openssl-0.9.7c/ssl-inst/lib --with-openssl-include=/code/openssl-0.9.7c/ssl-inst/include
(2) make
(3) make install

My cyrus-sasl steps:
(1) ./configure --enable-gssapi=/usr/heimdal --with-openssl=/code/openssl-0.9.7c --with-gss_impl=heimdal --with-gnu-ld
(2) make
(3) make install

My openldap steps:
(1) ./configure --with-cyrus-sasl --with-tls
(2) make
(3) make install

Am I missing anything? Doing something strange or wrong?

Thanks,
- Jeremiah

On 10/12/05, Love Hörnquist Åstrand <lha@kth.se> wrote:

Jeremiah Martell <inlovewithgod@gmail.com> writes:

> I cannot kinit to realm B, and then use ldapsearch -Y GSSAPI to access
> the ldap directory in realm A. (Even though there's a trust between the
> realms B and A)
>
> However, I can first kinit to B, use kvno to manually get a ticket for
> the ldap directory in realm A (kvno ldap/domainA@realmA), and then use
> ldapsearch -Y GSSAPI to access the ldap directory in realm A.

Check KDC logs in realm B. check with tcpdump what the client tries to do.
What error do you get from ldapsearch ?

Love

References:
- Re: Cross Realm HELP
  - From: Jeremiah Martell <inlovewithgod@gmail.com>
- Re: Cross Realm HELP
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: ASN1_* Errors Returned from GSSAPI Functions
Next by Date: Easiest way to get service ticket after obtaining tgt
Prev by thread: Re: Cross Realm HELP
Next by thread: ASN1_* Errors Returned from GSSAPI Functions
Index(es):
- Date
- Thread