On Dec 15, 2008 3:49pm, Dan White <[email protected]> wrote:
Cameron Harris wrote:
On Sun, Dec 14, 2008 at 3:34 PM, Michael Ströder [email protected]
[email protected]>> wrote:
Cameron Harris wrote:
> On Sun, Dec 14, 2008 at 11:31 AM, Michael Ströder
[email protected] [email protected]>
> [email protected] [email protected]>>> wrote:
>
> > Did you obtain a TGT before? What's the output of command klist?
>
> I did obtain a TGT with kinit:
Hmm, I vaguely remember having to use "kinit -A" to avoid the
local error.
Ciao, Michael.
Didn't work, unfortunately.
Same error. :(
Cameron Harris
Cameron,
Here are some sanity checks to try:
Query your LDAP server to make sure that it is offering GSSAPI:
ldapsearch -H ldap://ldap.example.net -x -b "" -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
If GSSAPI is not listed, verify configuration on the server. Check that
the GSSAPI SASL mechanism is installed:
~# pluginviewer | grep -i gssapi
pluginviewer: SASL Other: OTP: auxprop backend can't store properties
LOGIN DIGEST-MD5 NTLM GSSAPI OTP PLAIN ANONYMOUS CRAM-MD5 EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
LOGIN DIGEST-MD5 NTLM GSSAPI OTP PLAIN ANONYMOUS CRAM-MD5 EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
Verify configuration of your slapd.conf SASL config:
~# cat /usr/lib/sasl2/slapd.conf
keytab: /etc/krb5.keytab-ldap
pwcheck_method: auxprop saslauthd
auxprop_plugin: slapd
(The location of your SASL slapd.conf config is dependant on how your
SASL libraries are compiled). Your config doesn't have to match mine. You
might want to explicitly set the location of your keytab, and verify that
you do not have a restricive 'mech_list'. *If* you have a mech_list
defined, make sure it includes GSSAPI.
If your server config looks Ok, verify that you have the GSSAPI mechanism
installed correctly on your client system with the (Cyrus SASL)
pluginviewer command.
Verify that you are retrieving the ldap/ldap.lo...@local service ticket
from the KDC on your client (with klist). If not, you may not not be
specifying a fully qualified domain name in your URI statement within your
ldap.conf config. Make sure your URI statement is a FQDN (and not an IP
address or ldapi:///) or that you're specifying one within the ldapsearch
statement.
Most likely the error you're receiving can be traced down to a Cyrus SASL
or Kerberos misconfiguration. Check your syslog and auth.log on the server
and client for possible additional errors.
- Dan
This is the output from my system:
came...@gimli:~$ ldapsearch -H ldaps://ldap.local/ -x -b "" -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
came...@gimli:~$ saslpluginviewer | grep -i gssapi
GSSAPI PLAIN NTLM LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
GSSAPI PLAIN NTLM LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
I didn't have a sasl2/slapd.conf (strace showed that it was looking for
one, but getting -1 ENOENT because obviously it didn't exist). I created
one defining the keytab location explicitly, but I get the same error.
FYI:
came...@gimli:~$ cat /etc/ldap/ldap.conf | grep -Ev "^(#|$)"
BASE dc=local
URI ldaps://ldap.local
TLS_REQCERT allow
came...@gimli:~$ dig +short ldap.local
gimli.local.
192.168.0.11
The slapd server and krb5-kdc are on the same system
After running ldap commands, still the only thing that remains in my klist
is my TGT -- no tickets from LDAP. The /var/log files contain nothing
useful about SASL. Perhaps I should build it myself at some point, and
eliminate the ubuntu-server build as a possible problem (and then I might
also be able to do some gdbugging :)).
Thanks,
Cameron Harris
