On Fri, Jun 25, 2010 at 03:20:24PM +0400, Alexander Gordeev wrote: > On Fri, 25 Jun 2010 13:10:52 +0200 > Sumit Bose <sb...@redhat.com> wrote: > > > On Fri, Jun 25, 2010 at 02:35:19PM +0400, Alexander Gordeev wrote: > > > On Fri, 25 Jun 2010 11:25:22 +0200 > > > Sumit Bose <sb...@redhat.com> wrote: > > > > > > > On Fri, Jun 25, 2010 at 12:55:02PM +0400, Alexander Gordeev wrote: > > > > > > > > > > Sorry, I didn't tell you that this log was from another machine, with > > > > > it's own key, and therefore I changed ldap_sasl_authid appropriately. > > > > > On desktopvm everything is the same i.e. auth fails in the same way. > > > > > > > > > > Seems I'll have to dive into debugging SASL... But maybe you have some > > > > > hints for me? :) > > > > > > > > > > > > > > > -- > > > > > Alexander > > > > > > > > If > > > > > > > > kinit -k -t /etc/krb5.keytab && ldapsearch > > > > > > > > works on desktopvm you can try with the credentail cache of sssd > > > > /var/lib/sss/db/ccache_GNET (please check if the TGT is still valid > > > > before you use it): > > > > > > > > KRB5CCNAME=/var/lib/sss/db/ccache_GNET ldapsearch > > > > > > > > should work > > > > > > Thanks! > > > It works. > > > > ok, you mean > > > > KRB5CCNAME=/var/lib/sss/db/ccache_GNET ldapsearch > > > > works, but sssd doesn't, right ? > > Yes, exactly. :) > Sorry for ambiguous statements. > > > Please make sure to remove any other ccache file before calling > > ldapsearch with sssd's ccache file. I'm not sure how clever the > > underlying libraries try to be to find a valid TGT. Calling kdestroy > > before the ldapsearch should be sufficient. > > All the caches were cleaned before the test. But from my experience the > underlying libraries don't try to fallback to other caches. > > > > > If this work, then I think sssd does something wrong. If it does not > > > > work, please compare the content of the ccache you get with 'kinit -k -t > > > > /etc/krb5.keytab' with /var/lib/sss/db/ccache_GNET.
can you check if the attached patch will fix your problem? bye, Sumit > > > -- > Alexander
From 9de4f6fddc0d1484ca554b3a3f9dab831106ff4e Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 25 Jun 2010 17:50:56 +0200 Subject: [PATCH] Fix SASL authentication --- src/providers/ldap/sdap_async_connection.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index 14a1a4b..a0224a1 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -571,7 +571,7 @@ static int sdap_sasl_interact(LDAP *ld, unsigned flags, switch (in->id) { case SASL_CB_GETREALM: - case SASL_CB_AUTHNAME: + case SASL_CB_USER: case SASL_CB_PASS: if (in->defresult) { in->result = in->defresult; @@ -580,7 +580,7 @@ static int sdap_sasl_interact(LDAP *ld, unsigned flags, } in->len = strlen(in->result); break; - case SASL_CB_USER: + case SASL_CB_AUTHNAME: if (state->sasl_user) { in->result = state->sasl_user; } else if (in->defresult) { -- 1.7.0.1
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel