GSSAPI Error: An invalid name was supplied (Not enough space)

Dan White dwhite at olp.net
Wed Nov 12 11:47:56 EST 2008


Ben Lentz wrote:
> **
>> Ben Lentz wrote:
>>> Greetings list,
>>> I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3
>>> on an AIX 5.3, TL8, SP2 machine.
>>>
>>> Whenever I try to use GSSAPI with ldapsearch against a Microsoft
>>> Active Directory server, I get the following error:
>>>
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>>
>> I am yet to be able to get sasl run with gssapi against AD. If you do 
>> make any progress, or if anybody's managed to get it working, please 
>> let us know.
>
> I recompiled against OpenLDAP 2.3.27, cyrus-sasl 2.1.22, and mit 
> krb5-1.6.1, and am still getting the GSSAPI Error: An invalid name was 
> supplied (Not enough space) error.
>
> Next, I recompiled the whole shebang against the krb5 from Heimdal and 
> got the same error.


I just successfully tested against our internal Active Directory Server.

On our Server, we have Windows Server 2003 Standard Edition.

On my client, I'm running Debian Unstable, with:

cyrus sasl version 2.1.22.dfsg1-23
heimdal version 1.2.dfsg.1-2
krb5-user version 1.6.dfsg.4~beta1-4
ldap-utils version 2.4.10-3

Here's my output. The domain names have been changed:

dwhite at zek:~$ kdestroy
dwhite at zek:~$ kinit dan at EXAMPLE.ORG
Password for dan at EXAMPLE.ORG:
dwhite at zek:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan at EXAMPLE.ORG

Valid starting     Expires            Service principal
11/12/08 10:33:45  11/12/08 20:32:34  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
        renew until 11/13/08 10:33:45


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
dwhite at zek:~$ ldapsearch -x -LLL -s "base" -b "" supportedSASLMechanisms 
-h ad_server.example.org
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

dwhite at zek:~$ ldapsearch -Y GSSAPI -LLL -s "base" -b "" 
supportedSASLMechanisms -h ad_server.example.org
SASL/GSSAPI authentication started
SASL username: dan at EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

dwhite at zek:~$ ldapsearch -Y GSSAPI -h ad_server.example.org -b 
cn=Users,dc=example,dc=org -s base -LLL
SASL/GSSAPI authentication started
SASL username: dan at EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn: cn=Users,dc=example,dc=org
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=example,DC=org
<cut>

dwhite at zek:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan at EXAMPLE.ORG

Valid starting     Expires            Service principal
11/12/08 10:33:45  11/12/08 20:32:34  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
        renew until 11/13/08 10:33:45
11/12/08 10:32:40  11/12/08 20:32:34  ldap/ad_server.example.org@
        renew until 11/13/08 10:33:45
11/12/08 10:32:40  11/12/08 20:32:34  ldap/ad_server.example.org at EXAMPLE.ORG
        renew until 11/13/08 10:33:45


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
dwhite at zek:~$


You can enter the host/IP into /etc/hosts, or if your dns resolves 
ad_server.example.org correctly, then you shouldn't need to. I was 
getting a Local Error as well due to a bad entry in my /etc/hosts.

- Dan


More information about the Cyrus-sasl mailing list