[
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109084#comment-16109084
]
Emmanuel Lecharny commented on DIRSERVER-2205:
----------------------------------------------
Strange...
AFAICT, the 'Message stream modified' means :
"Cause:
There was a mismatch between the computed checksum and the message checksum.
The message might have been modified while in transit, which can indicate a
security leak.
Solution:
Make sure that the messages are being sent across the network correctly.
Because this message can also indicate the possible tampering of messages while
they are being sent, destroy your tickets using kdestroy and reinitialize the
Kerberos services that you are using."
But you are running everything locally :/
Can you set the LDAP server logs to DEBUG and attach the logs to the ticket?
I'd like to see what we get on the server.
> ldap tools don't work with gssapi sasl
> ---------------------------------------
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: core
> Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK
> krb5-workstation
> openlda-clients
> Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap
> service principal using ktutil and saved it as /etc/krb5.keytab , configured
> krb5.conf , configured ldap.conf .
> hostnames are configured statically through /etc/hosts , actually only one
> host as the server is also the client (LAN_IP example.com ,
> ldap/example....@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> # rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> ------------------------------------------------------------------------
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 ldap/example....@example.com
> [root@example ~]#
> --------------------------------------------------------------------------------
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting Expires Service principal
> 07/31/2017 20:54:48 08/01/2017 20:54:38 krbtgt/example....@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Message stream
> modified)
> {color}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
