openDS and Kerberos are actually running on the same machine, I am assuming
that they both are synchronized...
On Tue, Feb 21, 2012 at 1:17 PM, nudge <nudge...@fastmail.fm> wrote:
> Are you clocks in sync, the logs seem about half an hour apart ?
> Normally a difference of more than 5 minutes will scupper Kerberos.
>
>
> On Tue, Feb 21, 2012, at 12:47 PM, Tiago Elvas wrote:
> > I just have openDS installed, openLDAP is not used here...
> > Any other hint?
> >
> > :)
> > Thanks
> >
> > On Tue, Feb 21, 2012 at 12:33 PM, nudge <nudge...@fastmail.fm> wrote:
> >
> > > Just a thought, have you tried this comamnd (before and after running
> > > kinit):
> > >
> > > ldapwhoami -v -d 5
> > >
> > > It should provide more info on what's happening.
> > >
> > >
> > > On Tue, Feb 21, 2012, at 11:23 AM, Tiago Elvas wrote:
> > > > Thanks for you answer Tom.
> > > >
> > > > I added that principal and changed all principals and entries in the
> > > > keytabs to have the fqn as in hostname.domain.com.
> > > >
> > > > Authenticating as principal kerberos-test/ad...@mydomain.com with
> > > > password.
> > > > *kadmin.local: getprincs*
> > > > K/m...@mydomain.com
> > > > host/ldapserver.mydomain....@mydomain.com
> > > > kadmin/ad...@mydomain.com
> > > > kadmin/chang...@mydomain.com
> > > > kadmin/ldapserver.mydomain....@mydomain.com
> > > > kerberos-t...@mydomain.com
> > > > krbtgt/mydomain....@mydomain.com
> > > > ldap/ldapserver.mydomain....@mydomain.com
> > > > root/ad...@mydomain.com
> > > >
> > > >
> > > > I now have this error:
> > > >
> > > > *# ldapsearch -h ldapserver.mydomain.com -p 389 -o mech=GSSAPI -o
> > > > authid="
> > > > kerberos-t...@mydomain.com" -b "dc=example,dc=com" -s base
> > > > "(objectClass=*)"
> > > > *
> > > > Password for user 'kerberos-t...@mydomain.com':
> > > > An error occurred while attempting to perform GSSAPI authentication
> to
> > > > the
> > > > Directory Server: PrivilegedActionException(null:-2)
> > > > Result Code: 82 (Local Error)
> > > >
> > > > *And in /var/log/krb5kdc.log*
> > > > Feb 20 20:01:09 ldapserver krb5kdc[15295](info): AS_REQ (5 etypes {3
> 1 23
> > > > 16 17}) 172.23.14.210: ISSUE: authtime 1329764469, etypes {rep=23
> tkt=18
> > > > ses=23}, kerberos-t...@mydomain.com for krbtgt/
> mydomain....@mydomain.com
> > > > Feb 20 20:01:10 ldapserver krb5kdc[15295](info): TGS_REQ (5 etypes
> {3 1
> > > > 23
> > > > 16 17}) 172.23.14.210: NO PREAUTH: authtime 0,
> > > > kerberos-t...@mydomain.com for
> > > > ldap/ldapserver.mydomain....@mydomain.com, Generic error (see
> e-text)
> > > >
> > > >
> > > > Still no clue on this..
> > > >
> > > > Thanks again,
> > > > Tiago
> > > >
> > > > On Mon, Feb 20, 2012 at 7:50 PM, Tom Yu <t...@mit.edu> wrote:
> > > >
> > > > > Tiago Elvas <tiagoel...@gmail.com> writes:
> > > > >
> > > > > > *And This is the log in /var/log/krb5kdc.log*
> > > > > > Feb 20 19:26:13 ldapserver krb5kdc[15295](info): AS_REQ (5
> etypes {3
> > > 1 23
> > > > > > 16 17}) 172.23.14.210: ISSUE: authtime 1329762373, etypes
> {rep=23
> > > tkt=18
> > > > > > ses=23}, kerberos-t...@mydomain.com for krbtgt/
> > > > > > MYDOMAIN.COM<http://mydomain.com/>
> > > > > > @MYDOMAIN.COM <http://mydomain.com/>
> > > > > > Feb 20 19:26:13 ldapserver krb5kdc[15295](info): TGS_REQ (5
> etypes
> > > {3 1
> > > > > 23
> > > > > > 16 17}) 172.23.14.210: UNKNOWN_SERVER: authtime 0,
> kerberos-test@
> > > > > > MYDOMAIN.COM <http://mydomain.com/> for ldap/
> > > > > > ldapserver.mydomain....@mydomain.com, Server not found in
> Kerberos
> > > > > database
> > > > >
> > > > > You do not appear to have created a service principal
> > > > > ldap/ldapserver.mydomain....@mydomain.com
> > > > >
> > > > ________________________________________________
> > > > Kerberos mailing list Kerberos@mit.edu
> > > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > >
> > >
> >
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
