Re: "GSSAPI Error: No credentials were supplied ... unknown mech-code 0 for mech unknown"

Fri, 15 May 2020 01:10:24 -0700 

Am Thu, 14 May 2020 13:22:28 -0400
schrieb Braiam <brai...@gmail.com>:

> Hi,
> 
> I'm trying to get slapd to use heimdal kerberos to provide
> a single authentication backend for my network. I've followed
> the Administrator's Guide on SASL[1] and cyrus faq entry
> about connecting OpenLDAP with GSSAPI[2]. I'm stuck
> at the what I believe is a misunderstanding from my part.

> I believe when I use -Y GSSAPI I should be using my
> braiam/admin credentials, but according to SASL facility
> in slapd I'm not providing any. strace confirms that
> it reads the /tmp/krb5cc_1000 file correctly.
> 
> I'm very confused as to how to proceed since most of
> the relevant results point to having not kinit'd.
> 
> I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1,
> libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.
> 
> debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list
> /etc/krb5.keytab:
> 
> Vno  Type                     Principal
>                   Aliases
>   4  aes256-cts-hmac-sha1-96  host/ldap01.example....@example.com
>   4  des3-cbc-sha1            host/ldap01.example....@example.com
>   4  arcfour-hmac-md5         host/ldap01.example....@example.com
>   9  aes256-cts-hmac-sha1-96  ldap/ldap01.example....@example.com
>   9  des3-cbc-sha1            ldap/ldap01.example....@example.com
>   9  arcfour-hmac-md5         ldap/ldap01.example....@example.com
> 
> debian@ldap01:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: braiam/ad...@example.com
> 
>   Issued                Expires               Principal
> May 12 20:34:05 2020  May 13 20:34:05 2020
> krbtgt/example....@example.com May 12 20:34:11 2020  May 13 20:34:05
> 2020  ldap/ldap01.example....@example.com
> 
> debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b ""
> supportedSASLMechanisms -H $ldap_host
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> error (80) additional info: SASL(-1): generic failure: GSSAPI Error:
> No credentials were supplied, or the credentials were unavailable or
> inaccessible. (unknown mech-code 0 for mech unknown)

Long time ago that I used a Heimdal KDC. AFAIR there are some minor
differnces between  sasl libgssapi, MIT-KRB5 libs and tools, and heimdal
gss-api and kerberos tools. 
Please check the sasl2 configuration path for slapd.conf.
https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
While some distributions change this path to /etc/sasl2/slapd.conf, or
/etc/ldap/sasl2/slapd.conf, sasl refers to /usr/lib/sasl2/slapd.conf
This slapd.conf must be readable by slapd.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Reply via email to