Here the messages we get using ldapsearch on one of the consumers: --------------- ldapsearch -H ldaps://ldap.example.net SASL/GSSAPI authentication started ldap_sasl_interactive_bind: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: search-repl@ Valid starting Expires Service principal 05/20/2022 09:46:35 05/20/2022 19:46:35 krbtgt/DE@DE renew until 05/21/2022 09:46:35 05/20/2022 09:46:50 05/20/2022 19:46:35 ldap/consumer01@DE renew until 05/21/2022 09:46:35 05/20/2022 09:47:07 05/20/2022 19:46:35 ldap/ldap1@DE renew until 05/21/2022 09:46:35 05/20/2022 09:47:24 05/20/2022 19:46:35 ldap/ldap@DE renew until 05/21/2022 09:46:35 --------------- As you can see we get the ticket for ldap. Stefan Am 20.05.22 um 09:41 schrieb Stefan Kania: > Hi to all, > > we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We > securing the replication via kerberos, everything works fine between the > providers. But now we want to set up some consumers. Between the > providers and the consumers a loadbalancer is located, so the consumers > only connect to the loadbalancer and the loadbalancer chooses one of the > providers. For the replication we put the fqdn from the loadbalancer > into the configuration. The fqdn is ldap.example.net. We then created a > host-principal and a service-principal for ldap.example.net and we put > the host-key into /etc/krb5.keytab of all ldap-providers the same with > the service-key. So now all provider can use both, the own keys and the > keys from the loadbalancer. But it's not working :-(. In the log of the > provider we see that the consumer connects. ldaps is working. But > kerberos failed with the following messages: > -------------------- > SASL [conn=5032] Failure: GSSAPI Error: Miscellaneous failure (see > text) (Decrypt integrity check failed for checksum type > hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96) > > slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028 > etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context > > -------------------- > The same user we are using works without using the loadbalancer. If our > solution is wrong, what would be the right way to use a loadbalancer > together with kerberos? > > Stefan > > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos