Re: kerberos-cache location
Hi Ondrej, thank you for your answer. Am 02.04.24 um 10:47 schrieb Ondřej Kuzník: I assume libsasl2 is linked to heimdal, which doesn't (yet?) support KCM? And on Debian you might have been using heimdal as your libkrb5, so no KCM cache used. Then that's strange because I only installed redhat-pakages, and I always thought that redhat only supports MIT-kerberos. But with FILE: it's working ;-) and that's the main thing Stefan smime.p7s Description: Kryptografische S/MIME-Signatur
Re: kerberos-cache location
On Mon, Apr 01, 2024 at 03:09:12PM +0200, Stefan Kania wrote: > I normally use Debian for OpenLDAP and Kerberos, but now I have to uses > Alamalinux 9. When I create a Ticket with kinit I'm getting: > - > u1-prod@ldapserver1 ~]$ kinit > Password for u1-p...@example.net: > [u1-prod@ldapserver1 ~]$ klist > Ticket cache: KCM:10001 > Default principal: u1-p...@example.net > - > > So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I > die an ldapsearch or an ldapwhoami I'm getting > --- > [u1-prod@ldapserver1 ~]$ ldapwhoami > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001)) > --- > > All the ldap-commands are looking for the credential cache in FILE: and not > in KCM: > > I'm using OpenLDAP 2.6 from the repositories. > > Is there a way that the ldap-commands are using KCM:? Hi Stefan, I assume libsasl2 is linked to heimdal, which doesn't (yet?) support KCM? And on Debian you might have been using heimdal as your libkrb5, so no KCM cache used. I think until then you need to switch to FILE based credential cache in your config or rebuild libsasl2 against MIT Kerberos to get access to it. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Re: kerberos-cache location
Am 01.04.24 um 17:02 schrieb Stefan Kania: As soon as I change to KCM: it's not working anymore :-. That's why I was thinking that there is maybe some settings for the openldap-client commands I'm not aware of such an configuration setting. Only idea is a wrong setting of $KRB5CCNAME, but I guess you should know if you have set this. Best regards Ulf
Re: kerberos-cache location
Hello Ulf, thank you for your fast answer even on Easter Monday :-) Am 01.04.24 um 16:48 schrieb Ulf Volmer: /etc/krb5.conf.d/kcm_default_ccache is your friend. That's what I changed to go back to FILE: but I can't get ldapsearch and ldapwhoami working with KCM: I did not changed anything in krb5.conf - includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.NET [realms] EXAMPLE.NET = { admin_server = kerberos1.example.net } [domain_realm] .example.com = EXAMPLE.NET - And my /etc/krb5.conf.d/kcm_default_ccache looks like: - [libdefaults] default_ccache_name = FILE:/tmp/krb5cc_%{uid} - So I'm back to FILE: As soon as I change to KCM: it's not working anymore :-. That's why I was thinking that there is maybe some settings for the openldap-client commands Stefan smime.p7s Description: Kryptografische S/MIME-Signatur
Re: kerberos-cache location
Am 01.04.24 um 15:09 schrieb Stefan Kania: I normally use Debian for OpenLDAP and Kerberos, but now I have to uses Alamalinux 9. When I create a Ticket with kinit I'm getting: - u1-prod@ldapserver1 ~]$ kinit Password for u1-p...@example.net: [u1-prod@ldapserver1 ~]$ klist Ticket cache: KCM:10001 Default principal: u1-p...@example.net - So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I die an ldapsearch or an ldapwhoami I'm getting --- [u1-prod@ldapserver1 ~]$ ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001)) --- All the ldap-commands are looking for the credential cache in FILE: and not in KCM: I'm using OpenLDAP 2.6 from the repositories. Is there a way that the ldap-commands are using KCM:? Weird. For me, ldap tools works without any issue on alma 9 with KCM. Per default, without any manual configuration. So I don't know how I can reproduce your issue. But anyway: If you want back the old behavior with a file based ticket cache: /etc/krb5.conf.d/kcm_default_ccache is your friend. Best regards Ulf