GSSAPI Error: An invalid name was supplied (Not enough space)
Dan White
dwhite at olp.net
Wed Nov 12 11:47:56 EST 2008
Ben Lentz wrote:
> **
>> Ben Lentz wrote:
>>> Greetings list,
>>> I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3
>>> on an AIX 5.3, TL8, SP2 machine.
>>>
>>> Whenever I try to use GSSAPI with ldapsearch against a Microsoft
>>> Active Directory server, I get the following error:
>>>
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>>
>> I am yet to be able to get sasl run with gssapi against AD. If you do
>> make any progress, or if anybody's managed to get it working, please
>> let us know.
>
> I recompiled against OpenLDAP 2.3.27, cyrus-sasl 2.1.22, and mit
> krb5-1.6.1, and am still getting the GSSAPI Error: An invalid name was
> supplied (Not enough space) error.
>
> Next, I recompiled the whole shebang against the krb5 from Heimdal and
> got the same error.
I just successfully tested against our internal Active Directory Server.
On our Server, we have Windows Server 2003 Standard Edition.
On my client, I'm running Debian Unstable, with:
cyrus sasl version 2.1.22.dfsg1-23
heimdal version 1.2.dfsg.1-2
krb5-user version 1.6.dfsg.4~beta1-4
ldap-utils version 2.4.10-3
Here's my output. The domain names have been changed:
dwhite at zek:~$ kdestroy
dwhite at zek:~$ kinit dan at EXAMPLE.ORG
Password for dan at EXAMPLE.ORG:
dwhite at zek:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan at EXAMPLE.ORG
Valid starting Expires Service principal
11/12/08 10:33:45 11/12/08 20:32:34 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
renew until 11/13/08 10:33:45
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
dwhite at zek:~$ ldapsearch -x -LLL -s "base" -b "" supportedSASLMechanisms
-h ad_server.example.org
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dwhite at zek:~$ ldapsearch -Y GSSAPI -LLL -s "base" -b ""
supportedSASLMechanisms -h ad_server.example.org
SASL/GSSAPI authentication started
SASL username: dan at EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dwhite at zek:~$ ldapsearch -Y GSSAPI -h ad_server.example.org -b
cn=Users,dc=example,dc=org -s base -LLL
SASL/GSSAPI authentication started
SASL username: dan at EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn: cn=Users,dc=example,dc=org
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=example,DC=org
<cut>
dwhite at zek:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan at EXAMPLE.ORG
Valid starting Expires Service principal
11/12/08 10:33:45 11/12/08 20:32:34 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
renew until 11/13/08 10:33:45
11/12/08 10:32:40 11/12/08 20:32:34 ldap/ad_server.example.org@
renew until 11/13/08 10:33:45
11/12/08 10:32:40 11/12/08 20:32:34 ldap/ad_server.example.org at EXAMPLE.ORG
renew until 11/13/08 10:33:45
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
dwhite at zek:~$
You can enter the host/IP into /etc/hosts, or if your dns resolves
ad_server.example.org correctly, then you shouldn't need to. I was
getting a Local Error as well due to a bad entry in my /etc/hosts.
- Dan
More information about the Cyrus-sasl
mailing list