Key table entry not found

[Fabien COMBERNOUS]

Hi the list,

I have two servers. One hosting a kerberos master and ldap master (server.lan) 
, one other hosting a kerberos slave  and ldap replica (replica.lan). Kerberos 
is used by ldap for authentication SASL/GSSAPI.

The kerberos realm is SERVER.LAN. All was running. But since some time, i get 
error messages with ldapsearch command. With the debug activated, i get the 
following message of ldapsearch:


server:~ admin$ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
...
res_errno: 80, res_error:<SASL(-1): generic failure: GSSAPI
     Error: Unspecified GSS failure.  Minor code may provide more
     information (Key table entry not found)>, res_matched:<>

...

(Remark : As information i provide the entire debug at the end of this 
message)

Because of the message "keytable entry not found", i tried to use kadmin 
and check if principle with root exists. But by using kadmin i get now 
this message :

server:~ admin$ kadmin -pr...@server.lan
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principalr...@server.lan  with password.
Password forr...@server.lan:
kadmin: Communication failure with server while initializing kadmin interface
server:~ admin$

I check the logfile owner, group owner, and permission. Then i compared with 
one other kerberos server. Permission and owner was different. I set permission 
identically. But nothing was changed.

With kadmin.local i checked andr...@server.lan  exists in the list.


Logged on the replica server, i can use ldapsearch normaly.


How to debug the kerberos ?

Regards,


PS :
server:~ admin$ kinit root
Please enter the password for r...@server.lan:
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: r...@server.lan

Valid Starting     Expires            Service Principal
07/07/11 17:50:19  07/08/11 03:50:09 krbtgt/server....@server.lan
     renew until 07/14/11 17:50:19


server:~ admin$ ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
ldap_create
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0x100117f70 msgid 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 1 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
    Empty
   ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-entry
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
  * msgid 1,  type 100
   ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg:  mark request completed, ld 0x100117f70 msgid 1
request done: ld 0x100117f70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
adding response ld 0x100117f70 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: CRAM-MD5 GSSAPI
ldap_int_sasl_bind: CRAM-MD5 GSSAPI
ldap_int_sasl_open: host=server.lan
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 703 bytes to sd 3
ldap_result ld 0x100117f70 msgid 2
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 2 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 2 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
  * msgid 2,  origid 2, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
    Empty
   ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
read1msg: ld 0x100117f70 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg:  mark request completed, ld 0x100117f70 msgid 2
request done: ld 0x100117f70 msgid 2
res_errno: 80, res_error: <SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Key 
table entry not found)>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
error (80)
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: r...@server.lan

Valid Starting     Expires            Service Principal
07/07/11 17:50:19  07/08/11 03:50:09 krbtgt/server....@server.lan
     renew until 07/14/11 17:50:19

07/07/11 17:51:40  07/08/11 03:50:09 ldap/server....@server.lan
     renew until 07/14/11 17:50:19



-- 
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos