[solved] Re: SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)

Christoph Spielmann cspielma at gup.jku.at
Mon Dec 10 03:32:41 EST 2007


Thanks for pointing me in the right direction:

After some more digging i found out that the problem was a mixture of
some missing configuration-files and some file permission problems on
the slave! After having fixed all these things everything works as
expected! :)

Regards,

Christoph Spielmann

Guus Leeuw jr. schrieb:
>   
>> -----Original Message-----
>> From: cyrus-sasl-bounces at lists.andrew.cmu.edu [mailto:cyrus-sasl-
>> bounces at lists.andrew.cmu.edu] On Behalf Of Christoph Spielmann
>> Sent: 07 December 2007 10:12
>> To: cyrus-sasl at lists.andrew.cmu.edu
>> Subject: SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism
>> was requested (unknown mech-code 0 for mech unknown)
>>
>> Hi everybody!
>>     
>
> Hi, Dr. Nick!
>
> [omitted for brevity]
>
>   
>> For your information this is more or less the same configuration as the
>> main slapd with the few changes necessary for the replica-server...
>>
>> testsaslauthd works but when i try to connect to the replica-server
>> with
>> ldapsearch i get the following
>>
>> ldapsearch -H ldap://slave.gup.uni-linz.ac.at cn=erebos
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>         additional info: SASL(-13): authentication failure: GSSAPI
>> Failure: gss_accept_sec_context
>>     
>
> This sounds to me as if the slave cannot check the ticket... Is it listed in
> the KDC?
> Does it know how to SASL by itself? (as in given that the userPassword is
> {SASL}user at GUP.UNI-LINZ.AC.AT, can the slave authenticate the user?)
> Check /usr/lib(64)/sasl2/*.conf files for sasl settings.
>
>   
>> the log on slave looks like this (i just post the interesting part):
>> ...
>> Dec  7 10:55:01 slave slapd[5314]: do_bind
>> Dec  7 10:55:01 slave slapd[5314]: >>> dnPrettyNormal: <>
>> Dec  7 10:55:01 slave slapd[5314]: <<< dnPrettyNormal: <>, <>
>> Dec  7 10:55:01 slave slapd[5314]: do_sasl_bind: dn () mech GSSAPI
>> Dec  7 10:55:01 slave slapd[5314]: conn=2 op=1 BIND dn="" method=163
>> Dec  7 10:55:01 slave slapd[5314]: ==> sasl_bind: dn="" mech=GSSAPI
>> datalen=631
>> Dec  7 10:55:01 slave slapd[5314]: SASL [conn=2] Failure: GSSAPI Error:
>> An unsupported mechanism was requested (unknown mech-code 0 for mech
>> unknown)
>> Dec  7 10:55:01 slave slapd[5314]: send_ldap_result: conn=2 op=1 p=3
>> Dec  7 10:55:01 slave slapd[5314]: send_ldap_result: err=49 matched=""
>> text="SASL(-13): authentication failure: GSSAPI Failure:
>> gss_accept_sec_context"
>> Dec  7 10:55:01 slave slapd[5314]: send_ldap_response: msgid=2 tag=97
>> err=49
>> Dec  7 10:55:01 slave slapd[5314]: conn=2 op=1 RESULT tag=97 err=49
>> text=SASL(-13): authentication failure: GSSAPI Failure:
>> gss_accept_sec_context
>> Dec  7 10:55:01 slave slapd[5314]: <== slap_sasl_bind: rc=49
>> Dec  7 10:55:01 slave slapd[5314]: daemon: activity on 1 descriptor
>> Dec  7 10:55:01 slave slapd[5314]: daemon: activity on:
>> Dec  7 10:55:01 slave slapd[5314]:  11r
>> ...
>>
>> when i use simple bind (and uncomment the line access to * by * read)
>> everything works as expected too, so something must be wrong with
>> sasl...
>>
>> when i send the same search-query to the master-server (using the same
>> host as before) i get the desired results so on the client side
>> everything seems to be okay.
>>
>>     
>
> [brevity]
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20071210/3b81eba0/attachment.html 


More information about the Cyrus-sasl mailing list