Re: kerberos-cache location

2024-04-02 Thread Stefan Kania 

Hi Ondrej,

thank you for your answer.
Am 02.04.24 um 10:47 schrieb Ondřej Kuzník:

I assume libsasl2 is linked to heimdal, which doesn't (yet?) support
KCM? And on Debian you might have been using heimdal as your libkrb5, so
no KCM cache used.
Then that's strange because I only installed redhat-pakages, and I 
always thought that redhat only supports MIT-kerberos. But with FILE: 
it's working ;-) and that's the main thing


Stefan




smime.p7s
Description: Kryptografische S/MIME-Signatur

Re: kerberos-cache location

2024-04-02 Thread Ondřej Kuzník 
On Mon, Apr 01, 2024 at 03:09:12PM +0200, Stefan Kania wrote:
> I normally use Debian for OpenLDAP and Kerberos, but now I have to uses
> Alamalinux 9. When I create a Ticket with kinit I'm getting:
> -
> u1-prod@ldapserver1 ~]$ kinit
> Password for u1-p...@example.net:
> [u1-prod@ldapserver1 ~]$ klist
> Ticket cache: KCM:10001
> Default principal: u1-p...@example.net
> -
> 
> So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I
> die an ldapsearch or an ldapwhoami I'm getting
> ---
> [u1-prod@ldapserver1 ~]$ ldapwhoami
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001))
> ---
> 
> All the ldap-commands are looking for the credential cache in FILE: and not
> in KCM:
> 
> I'm using OpenLDAP 2.6 from the repositories.
> 
> Is there a way that the ldap-commands are using KCM:?

Hi Stefan,
I assume libsasl2 is linked to heimdal, which doesn't (yet?) support
KCM? And on Debian you might have been using heimdal as your libkrb5, so
no KCM cache used.

I think until then you need to switch to FILE based credential cache in
your config or rebuild libsasl2 against MIT Kerberos to get access to
it.

Regards,

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation   http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Re: kerberos-cache location

2024-04-01 Thread Ulf Volmer 

Am 01.04.24 um 17:02 schrieb Stefan Kania:

As soon as I change to KCM: it's not working anymore :-. That's why I 
was thinking that there is maybe some settings for the openldap-client 
commands


I'm not aware of such an configuration setting.

Only idea is a wrong setting of $KRB5CCNAME, but I guess you should know 
if you have set this.


Best regards
Ulf

Re: kerberos-cache location

2024-04-01 Thread Stefan Kania 

Hello Ulf,

thank you for your fast answer even on Easter Monday :-)

Am 01.04.24 um 16:48 schrieb Ulf Volmer:


/etc/krb5.conf.d/kcm_default_ccache is your friend.


That's what I changed to go back to FILE: but I can't get ldapsearch and 
ldapwhoami working with KCM:

I did not changed anything in krb5.conf
-
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.NET

[realms]
 EXAMPLE.NET = {
 admin_server = kerberos1.example.net
}

[domain_realm]
 .example.com = EXAMPLE.NET
-

And my /etc/krb5.conf.d/kcm_default_ccache looks like:
-
[libdefaults]
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
-

So I'm back to FILE:

As soon as I change to KCM: it's not working anymore :-. That's why I 
was thinking that there is maybe some settings for the openldap-client 
commands


Stefan



smime.p7s
Description: Kryptografische S/MIME-Signatur

Re: kerberos-cache location

2024-04-01 Thread Ulf Volmer 



Am 01.04.24 um 15:09 schrieb Stefan Kania:
I normally use Debian for OpenLDAP and Kerberos, but now I have to 
uses Alamalinux 9. When I create a Ticket with kinit I'm getting:

-
u1-prod@ldapserver1 ~]$ kinit
Password for u1-p...@example.net:
[u1-prod@ldapserver1 ~]$ klist
Ticket cache: KCM:10001
Default principal: u1-p...@example.net
-

So the ticket cache is the KCM-daemon and not FILE: like in Debian. 
When I die an ldapsearch or an ldapwhoami I'm getting

---
[u1-prod@ldapserver1 ~]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001))

---

All the ldap-commands are looking for the credential cache in FILE: 
and not in KCM:


I'm using OpenLDAP 2.6 from the repositories.

Is there a way that the ldap-commands are using KCM:?



Weird. For me, ldap tools works without any issue on alma 9 with KCM.

Per default, without any manual configuration. So I don't know how I can 
reproduce your issue.



But anyway: If you want back the old behavior with a file based ticket 
cache:



/etc/krb5.conf.d/kcm_default_ccache is your friend.


Best regards

Ulf