GSSAPI Error: An invalid name was supplied (Not enough space)

Dan White dwhite at olp.net
Fri Oct 31 09:39:39 EDT 2008


Ben Lentz wrote:
> Greetings list,
> I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3
> on an AIX 5.3, TL8, SP2 machine.
>
> Whenever I try to use GSSAPI with ldapsearch against a Microsoft
> Active Directory server, I get the following error:
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>
> When I run the process through truss -rall -wall -f, I see the
> following error near the failure:
> GSSAPI Error: An invalid name was supplied (Not enough space)
>
> I am able to acquire a kerberos ticket, I can list the GSSAPI plugin
> using pluginviewer, and I can ldapsearch against the MSAD server using
> simple authentication.
>
> I have searched Google and can find no reference to the "Not enough
> space" error. Has anyone else seen this before or can anyone shed any
> light on this?
>
> Thanks in advance.
>   

Are you receiving the service principal ticket for the ldap server (e.g. 
ldap/<hostname>@REALM)?

The error you're receiving is possibly due to the AD/mit/kerberos 
interaction rather than cyrus. I had success trouble shooting a 'packet 
too large', or something similar, once with wireshark. That was with 
Heimdal and AD. I ended up forcing Heimdal to use TCP when talking to 
the AD server. In /etc/krb5.conf:

[realms]
        EXAMPLE.NET = {
                kdc = tcp/ad.example.net
                kdc = ad.example.net
                admin_server = ad.example.net

- Dan


More information about the Cyrus-sasl mailing list