[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: LDAP with Kerberos authentification
From: Ryan Schultz <schultz.ryan () gmail ! com>
Date: 2005-06-30 20:48:18
Message-ID: 200506301648.23144.schultz.ryan () gmail ! com
[Download RAW message or body]
On Thursday 30 June 2005 06:09 am, Eugen Wintersberger wrote:
> Hi there
> I have a problem with slapd using Kerberos V (GSSAPI) authentification
> on Debian 3.1 Sarge. The Kerberos configuration seems to be ok since
> cyrus imap daemon uses it without any problems.
>
> I also added the appropriate principals to my Kerberos database and to
> the krb5.keytab file:
>
> ldap/hubbard.hlphys.uni-linz.ac.at@HLPHYS.UNI-LINZ.AC.AT
> ldap/localhost@HLPHYS.UNI-LINZ.AC.AT
>
> After getting my TGT with
>
> > kinit admin
>
> I tried a simple
>
> > ldapwhoami -h hubbard.hlphys.uni-linz.ac.at
>
> and got the following error message
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (No principal in keytab matches desired name)
>
> I got a similar error with cyrus imapd before I changed the "servername"
> variable in imapd.conf to the hostname.
> Has anyone an idea what I'm doing wrong?
>
> thanks
>
> Eugen
>
>
> --
> Eugen Wintersberger <eugen.wintersberger@gmx.net>
Try adding ldap/<yourFQDN>@<KERBDOMAIN> to the keytab -- also make certain
that slapd can read the keytab that contains everything relevant to it, to do
this without compromising the main keytab you have to add an override
in /etc/default/slapd , for example something like:
# Kerberos ticket configuration
export KRB5_KTNAME=/etc/ldap/ldap.keytab
I'm guessing, mostly -- I have an LDAPS/Kerberos implementation working here,
but it was a nightmare to set up. The most important things to check, I've
found, are the FQDNs of all the systems involved -- both LDAP and Kerberos
are very, very picky about them.
--
Ryan Schultz
-> floating point exception: divide by cucumber
[Attachment #3 (application/pgp-signature)]
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic