date:20170801

[jira] [Resolved] (DIRKRB-641) Implement kinit -k -i

2017-08-01 Thread Jiajia Li (JIRA)


 [ 
https://issues.apache.org/jira/browse/DIRKRB-641?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jiajia Li resolved DIRKRB-641.
--
Resolution: Fixed

commit ca49a5615b611cfcde7deb1cfde4af98f5addcd6
Author: plusplusjiajia 
Date:   Wed Aug 2 13:17:22 2017 +0800

DIRKRB-641 Implement kinit -k -i. Contributed by Lin Zeng.

> Implement kinit -k -i
> -
>
> Key: DIRKRB-641
> URL: https://issues.apache.org/jira/browse/DIRKRB-641
> Project: Directory Kerberos
>  Issue Type: Improvement
>Reporter: Lin Zeng
>Assignee: Lin Zeng
> Attachments: DIRKRB-641-01.patch
>
>
> Example:
> requests tgt ticket using default client keytab with following command:
> sh bin/kinit.sh -conf [client-conf-dir] -k -i [principal-name]
> like kerberos, the default client keytab is determined by the following:
> # The KRB5_CLIENT_KTNAME environment variable.
> # The default_client_keytab_name profile variable in [libdefaults] of 
> krb5.conf.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (DIRKRB-641) Implement kinit -k -i

2017-08-01 Thread Jiajia Li (JIRA)


[ 
https://issues.apache.org/jira/browse/DIRKRB-641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110232#comment-16110232
 ] 

Jiajia Li commented on DIRKRB-641:
--

The patch looks good to me. Thanks for your contribution. I will commit it soon.

> Implement kinit -k -i
> -
>
> Key: DIRKRB-641
> URL: https://issues.apache.org/jira/browse/DIRKRB-641
> Project: Directory Kerberos
>  Issue Type: Improvement
>Reporter: Lin Zeng
>Assignee: Lin Zeng
> Attachments: DIRKRB-641-01.patch
>
>
> Example:
> requests tgt ticket using default client keytab with following command:
> sh bin/kinit.sh -conf [client-conf-dir] -k -i [principal-name]
> like kerberos, the default client keytab is determined by the following:
> # The KRB5_CLIENT_KTNAME environment variable.
> # The default_client_keytab_name profile variable in [libdefaults] of 
> krb5.conf.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

2017-08-01 Thread Emmanuel Lecharny (JIRA)


[ 
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109107#comment-16109107
 ] 

Emmanuel Lecharny commented on DIRSERVER-2205:
--

In any case, ApacheDS will generate the {{KRB_AP_ERR_MODIFIED}} error in the 
{{verifyChecksum}} method :

{noformat}
/**
 * Message stream modified.
 */
public static final ErrorType KRB_AP_ERR_MODIFIED = new ErrorType( 41, 
"Message stream modified" );
{noformat}

and

{noformat}
/**
 * Verify a checksum by providing the raw bytes and an (optional) key for 
keyed checksums.
 *
 * @param checksum
 * @param bytes
 * @param key
 * @param usage
 * @throws KerberosException
 */
public void verifyChecksum( Checksum checksum, byte[] bytes, byte[] key, 
KeyUsage usage ) throws KerberosException
{
if ( checksum == null )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
}

if ( !DEFAULT_CHECKSUMS.containsKey( checksum.getChecksumType() ) )
{
throw new KerberosException( ErrorType.KDC_ERR_SUMTYPE_NOSUPP );
}

ChecksumType checksumType = checksum.getChecksumType();
ChecksumEngine digester = getEngine( checksumType );
Checksum newChecksum = new Checksum( checksumType, 
digester.calculateChecksum( bytes, key, usage ) );

if ( !newChecksum.equals( checksum ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
}
}
{noformat}

which means the checksum is seen as invalid. Now to know why...

> ldap tools don't work with gssapi sasl 
> ---
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
>  Issue Type: Bug
>  Components: core
>Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service 
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap 
> service principal using ktutil and saved it as /etc/krb5.keytab , configured 
> krb5.conf , configured ldap.conf . 
> hostnames are configured statically through /etc/hosts , actually only one 
> host as the server is also the client (LAN_IP example.com , 
> ldap/example@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> #rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
>  example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> 
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>1 ldap/example@example.com
> [root@example ~]#
> 
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting   Expires  Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/example@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Message stream 
> modified)
> {color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

2017-08-01 Thread Emmanuel Lecharny (JIRA)


[ 
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109084#comment-16109084
 ] 

Emmanuel Lecharny commented on DIRSERVER-2205:
--

Strange...

AFAICT, the 'Message stream modified' means  :

"Cause:

There was a mismatch between the computed checksum and the message checksum. 
The message might have been modified while in transit, which can indicate a 
security leak.
Solution:

Make sure that the messages are being sent across the network correctly. 
Because this message can also indicate the possible tampering of messages while 
they are being sent, destroy your tickets using kdestroy and reinitialize the 
Kerberos services that you are using."

But you are running everything locally :/

Can you set the LDAP server logs to DEBUG and attach the logs to the ticket? 
I'd like to see what we get on the server.

> ldap tools don't work with gssapi sasl 
> ---
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
>  Issue Type: Bug
>  Components: core
>Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service 
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap 
> service principal using ktutil and saved it as /etc/krb5.keytab , configured 
> krb5.conf , configured ldap.conf . 
> hostnames are configured statically through /etc/hosts , actually only one 
> host as the server is also the client (LAN_IP example.com , 
> ldap/example@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> #rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
>  example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> 
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>1 ldap/example@example.com
> [root@example ~]#
> 
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting   Expires  Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/example@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Message stream 
> modified)
> {color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (DIRKRB-641) Implement kinit -k -i

2017-08-01 Thread Lin Zeng (JIRA)


 [ 
https://issues.apache.org/jira/browse/DIRKRB-641?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lin Zeng updated DIRKRB-641:

Attachment: DIRKRB-641-01.patch

I attached the first patch.

> Implement kinit -k -i
> -
>
> Key: DIRKRB-641
> URL: https://issues.apache.org/jira/browse/DIRKRB-641
> Project: Directory Kerberos
>  Issue Type: Improvement
>Reporter: Lin Zeng
>Assignee: Lin Zeng
> Attachments: DIRKRB-641-01.patch
>
>
> Example:
> requests tgt ticket using default client keytab with following command:
> sh bin/kinit.sh -conf [client-conf-dir] -k -i [principal-name]
> like kerberos, the default client keytab is determined by the following:
> # The KRB5_CLIENT_KTNAME environment variable.
> # The default_client_keytab_name profile variable in [libdefaults] of 
> krb5.conf.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (DIRKRB-641) Implement kinit -k -i

2017-08-01 Thread Lin Zeng (JIRA)

Lin Zeng created DIRKRB-641:
---

 Summary: Implement kinit -k -i
 Key: DIRKRB-641
 URL: https://issues.apache.org/jira/browse/DIRKRB-641
 Project: Directory Kerberos
  Issue Type: Improvement
Reporter: Lin Zeng
Assignee: Lin Zeng


Example:
requests tgt ticket using default client keytab with following command:
sh bin/kinit.sh -conf [client-conf-dir] -k -i [principal-name]

like kerberos, the default client keytab is determined by the following:
# The KRB5_CLIENT_KTNAME environment variable.
# The default_client_keytab_name profile variable in [libdefaults] of krb5.conf.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

2017-08-01 Thread Alex Duzsardi (JIRA)


[ 
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108551#comment-16108551
 ] 

Alex Duzsardi commented on DIRSERVER-2205:
--

Sure , here it is

{{[root@router log]# ldapsearch -d -1 -Y GSSAPI -H ldap://example.com:10389 -b 
"dc=security,dc=example,dc=com" "(uid=hnelson)"
ldap_url_parse_ext(ldap://example.com:10389)
ldap_create
ldap_url_parse_ext(ldap://example.com:10389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:10389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.2.15:10389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=example.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Message stream modified)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  :  30 05 02 01 01 42 00   0B.
ldap_write: want=7, written=7
  :  30 05 02 01 01 42 00   0B.
ldap_free_connection: actually freed
}}

> ldap tools don't work with gssapi sasl 
> ---
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
>  Issue Type: Bug
>  Components: core
>Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service 
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap 
> service principal using ktutil and saved it as /etc/krb5.keytab , configured 
> krb5.conf , configured ldap.conf . 
> hostnames are configured statically through /etc/hosts , actually only one 
> host as the server is also the client (LAN_IP example.com , 
> ldap/example@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> #rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
>  example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> 
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>1 ldap/example@example.com
> [root@example ~]#
> 
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting   Expires  Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/example@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Message stream 
> modified)
> {color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Comment Edited] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

2017-08-01 Thread Alex Duzsardi (JIRA)


[ 
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16108551#comment-16108551
 ] 

Alex Duzsardi edited comment on DIRSERVER-2205 at 8/1/17 8:09 AM:
--

Sure , here it is

{quote}[root@router log]# ldapsearch -d -1 -Y GSSAPI -H 
ldap://example.com:10389 -b "dc=security,dc=example,dc=com" "(uid=hnelson)"
ldap_url_parse_ext(ldap://example.com:10389)
ldap_create
ldap_url_parse_ext(ldap://example.com:10389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:10389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.2.15:10389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=example.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Message stream modified)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  :  30 05 02 01 01 42 00   0B.
ldap_write: want=7, written=7
  :  30 05 02 01 01 42 00   0B.
ldap_free_connection: actually freed{quote}



was (Author: aduzsardi):
Sure , here it is

{{[root@router log]# ldapsearch -d -1 -Y GSSAPI -H ldap://example.com:10389 -b 
"dc=security,dc=example,dc=com" "(uid=hnelson)"
ldap_url_parse_ext(ldap://example.com:10389)
ldap_create
ldap_url_parse_ext(ldap://example.com:10389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:10389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.2.15:10389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=example.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Message stream modified)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  :  30 05 02 01 01 42 00   0B.
ldap_write: want=7, written=7
  :  30 05 02 01 01 42 00   0B.
ldap_free_connection: actually freed
}}

> ldap tools don't work with gssapi sasl 
> ---
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
>  Issue Type: Bug
>  Components: core
>Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service 
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap 
> service principal using ktutil and saved it as /etc/krb5.keytab , configured 
> krb5.conf , configured ldap.conf . 
> hostnames are configured statically through /etc/hosts , actually only one 
> host as the server is also the client (LAN_IP example.com , 
> ldap/example@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> #rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
>  example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> 
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>1 ldap/example@example.com
> [root@example ~]#
> 
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting   Expires  Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/example@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI

[jira] [Comment Edited] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

2017-08-01 Thread Alex Duzsardi (JIRA)


[ 
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16107736#comment-16107736
 ] 

Alex Duzsardi edited comment on DIRSERVER-2205 at 8/1/17 6:54 AM:
--

i meant to say that i *can* get a tgt from the kerberos with kinit

[root@example ~]# kinit -k ldap/example@example.com
[root@example ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap/example@example.com

Valid starting   Expires  Service principal
07/31/2017 21:29:07  08/01/2017 21:29:06  krbtgt/example@example.com
[root@example ~]#



was (Author: aduzsardi):
i meant to say that i *can * get a tgt from the kerberos with kinit

[root@example ~]# kinit -k ldap/example@example.com
[root@example ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldap/example@example.com

Valid starting   Expires  Service principal
07/31/2017 21:29:07  08/01/2017 21:29:06  krbtgt/example@example.com
[root@example ~]#


> ldap tools don't work with gssapi sasl 
> ---
>
> Key: DIRSERVER-2205
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
> Project: Directory ApacheDS
>  Issue Type: Bug
>  Components: core
>Affects Versions: 2.0.0-M24
> Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service 
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap 
> service principal using ktutil and saved it as /etc/krb5.keytab , configured 
> krb5.conf , configured ldap.conf . 
> hostnames are configured statically through /etc/hosts , actually only one 
> host as the server is also the client (LAN_IP example.com , 
> ldap/example@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> #rdns = false
> [realms]
> EXAMPLE.COM = {
> kdc = example.com:60088
> default_domain = EXAMPLE.COM
> }
> [domain_realm]
>  example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> 
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>1 ldap/example@example.com
> [root@example ~]#
> 
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting   Expires  Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/example@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Message stream 
> modified)
> {color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Resolved] (DIRKRB-641) Implement kinit -k -i

[jira] [Commented] (DIRKRB-641) Implement kinit -k -i

[jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

[jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

[jira] [Updated] (DIRKRB-641) Implement kinit -k -i

[jira] [Created] (DIRKRB-641) Implement kinit -k -i

[jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

[jira] [Comment Edited] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

[jira] [Comment Edited] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

9 matches

Site Navigation

Mail list logo

Footer information