Hi folks, I'm having a real hard time debugging this, and the moment I think it's a Kerberos config problem, and not really LDAP. I'm trying to do a new ldap+MIT kerberos install , on a new Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I also checked permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessible, or even any attempts to open the keytabs or anything in /etc/openldap/cacerts. I'm surprised that the strace on krb5kdc never shows any responce to my ldap queries. I tried making briefly making /etc/krb5.keytab world readable, it did not change the "No such file" error. The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did not stop the error. I guess I'll try turning SELINUX off, and see if that makes any difference. Any help would be greatly appreciated :) ******************************************* ******************************************* [EMAIL PROTECTED] ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ [EMAIL PROTECTED]:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory) ******************************************* ******************************************* [EMAIL PROTECTED] ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/[EMAIL PROTECTED] 01/15/08 13:12:35 01/16/08 13:11:43 ldap/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached ******************************************* ******************************************* [EMAIL PROTECTED] ~]# find / -iname "*keytab*" -ls 49547109 8 -rw-r--r-- 1 root root 712 Jan 15 13:00 /etc/krb5.keytab 49610949 8 -rw-r--r-- 1 fdirsvr fdirsvr 712 Jan 15 13:00 /etc/dirsrv/slapd-trixter/dirsrv.keytab 22746332 8 -rw------- 1 root root 454 Jan 13 10:26 /var/kerberos/krb5kdc/kadm5.keytab ******************************************* ******************************************* [EMAIL PROTECTED] ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HYMESRUZICKA.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] HYMESRUZICKA.ORG = { kdc = kerberos.hymesruzicka.org:88 admin_server = trixter.hymesruzicka.org:749 default_domain = hymesruzicka.org dict_file = /usr/share/dict/words } [domain_realm] .hymesruzicka.org = HYMESRUZICKA.ORG hymesruzicka.org = HYMESRUZICKA.ORG [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ******************************************* ******************************************* [EMAIL PROTECTED] ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never ******************************************* ******************************************* BTW: Here's the command with debug on: [EMAIL PROTECTED] ~]$ ldapwhoami -V -d 1 -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ [EMAIL PROTECTED]:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.3:11562 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=trixter.hymesruzicka.org SASL/GSSAPI authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 589 bytes to sd 3 ldap_result ld 0x8d82038 msgid 1 ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL wait4msg ld 0x8d82038 msgid 1 (infinite timeout) wait4msg continue ld 0x8d82038 msgid 1 all 1 ** ld 0x8d82038 Connections: * host: trixter.hymesruzicka.org port: 11562 (default) refcnt: 2 status: Connected last used: Wed Jan 16 10:11:11 2008 ** ld 0x8d82038 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8d82038 Response Queue: Empty ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL ldap_int_select read1msg: ld 0x8d82038 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 148 contents: read1msg: ld 0x8d82038 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x8d82038 0 new referrals read1msg: mark request completed, ld 0x8d82038 msgid 1 request done: ld 0x8d82038 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos