Re: Questions on openldap and kerberos....

Mon, 07 Jan 2013 07:30:16 -0800 

As a rookie, I hadn't considered...this is an absolutely excellent
suggestion. See below, it didn't change anything.
I was running as root... Do I need to create a principal for the id 'root',
or can I use the base id [in this case jctobin] as a ticket for root?

tob

kerberos1:/etc/init.d # kadmin.local
Authenticating as principal root/ad...@dark1.net with password.
kadmin.local:  listprincs
K/m...@dark1.net
host/holynight.dark1....@dark1.net
host/kerberos1.dark1....@dark1.net
jcto...@dark1.net
kadmin/ad...@dark1.net
kadmin/chang...@dark1.net
kadmin/localh...@dark1.net
krbtgt/dark1....@dark1.net
ldap/kerberos1.dark1....@dark1.net
nibot/ad...@dark1.net
ni...@dark1.net
kadmin.local:  exit
kerberos1:/etc/init.d # man kinit
kerberos1:/etc/init.d # kinit jcto...@dark1.net
Password for jcto...@dark1.net:
kerberos1:/etc/init.d # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jcto...@dark1.net

Valid starting     Expires            Service principal
01/07/13 09:37:21  01/07/13 19:37:21  krbtgt/dark1....@dark1.net
        renew until 01/07/13 09:37:21
kerberos1:/etc/init.d # ldapsearch -h kerberos1.dark1.net -b
'dc=dark1,dc=net' '(uid=jtobin)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Clock
skew too great)
kerberos1:/etc/init.d #






On 1/5/13 1:55 AM, "Greg Hudson" <ghud...@mit.edu> wrote:

> On 01/04/2013 04:31 PM, John Tobin wrote:
>> kerberos1:~ # ldapsearch -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
>> '(uid=jtobin)' 
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>>         additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information
>> (Credentials cache file '/tmp/krb5cc_0' not found)
> 
> I feel like I might be missing something, but it looks like you don't
> have Kerberos credentials to authenticate with, in which case you need
> to kinit first.
> 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to