[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized

To: <fmayer@gmx.de>
Subject: Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized
From: Michael B Allen <miallen@ioplex.com>
Date: Tue, 1 Jul 2008 09:54:32 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <sympa.1214911642.9159.247@sics.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <sympa.1214911642.9159.247@sics.se>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Tue,  1 Jul 2008 14:01:13 +0200 (CEST)
<fmayer@gmx.de> wrote:

> Hi list,
> I am trying to setup a LDAP-Server with SASL and Kerberos-authentication via
> GSSAPI. The Systems are running debian etch unsing the heimdal-implementation.
> 
> As far as I see, most things (ldap, sasl, kerberos) seem to be set up and
> running but there is some kind misconfiguration: When I try to access the
> ldap-sever (having received a kerberos-ticket by "kinit fmayer" previously) I
> get an error-message:
> 
> (a little bit anonymized)
> > fmayer@client:~$ klist
> > Credentials cache: FILE:/tmp/krb5cc_1002
> >	  Principal: fmayer@TESTREALM.LOCAL
> > 
> >   Issued	     Expires	      Principal
> > Jul  1 11:36:15  Jul	1 21:48:25  krbtgt/TESTREALM.LOCAL@TESTREALM.LOCAL
> > 
> > fmayer@client:~$ ldapsearch
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> >	  additional info: SASL(-1): generic failure: GSSAPI Error: An invalid
> name was supplied
> >	  (Hostname cannot be canonicalized)
> 
> I believe, that this is a kerberos-misconfiguation, since LDAP worked fine with
> the SASLMech EXTERNAL.
> 
> Both, machines as well as the ldap-service, do have a principal-entry in the
> kerberos-database and the names of the machines are being found in via the DNS.
> Currently a little bit puzzeled, what is going wrong, when (certainly) the
> server complains, that a "Hostname cannot be canonicalized". Searching with
> google with these keywords does not lead to anything useful.
> 
> Could anyone give me a hint, what is possibly going wrong in the configuration?
> Of course I could have added some more debug-information from either the
> log-file and/or by using the "-d"-switch - but I do not want to spam the list,
> especially not in the first posting :)

What do you get from:

  $ hostname -f

?

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

References:
- LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized
  - From: <fmayer@gmx.de>

Prev by Date: kerberos setup, basic questions
Next by Date: Re: Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized
Prev by thread: Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized
Next by thread: Re: Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized
Index(es):
- Date
- Thread