SASL + Kerberos + OpenLDAP issue
Dan White
dwhite at olp.net
Fri Feb 27 14:39:11 EST 2009
Xavier Ambrosioni wrote:
> Hi,
>
> thank you for your help.
> I solved my problem. The /etc/krb5.keytab file was not readable by
> openLDAP daemon. Now everything is ok in local but when I tried
> ldapsearch command in remote from my client (iMac running leopard
> 10.5.6) I get the following error:
>
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
> In the openldap log's file I can see:
>
> Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure: GSSAPI
> Error: Miscellaneous failure (see text) (Decrypt integrity check
> failedxt))
>
>
> If I run klist command on my client, I can see the following tickets:
>
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: xav at PASSRL
>
> Valid Starting Expires Service Principal
> 02/27/09 18:04:17 02/28/09 04:04:17 krbtgt/PASSRL at PASSRL
> renew until 03/06/09 18:04:17
> 02/27/09 18:04:20 02/28/09 04:04:17 ldap/passrlsrv.passrl@
> renew until 03/06/09 18:04:17
>
>
> I suspect that the problem is due to the ldap service ticket principal
> that is "ldap/passrlsrv.passrl@" instead of
> "ldap/passrlsrv.passrl at PASSRL". In my kdc log file I see that the
> service ticket request is for "ldap/passrlsrv.passrl at PASSRL"
>
> Any idea why the principal looks wrong in the client kerberos cache ?
>
I'm not as familiar with this error, but there is one possible
explanation here:
http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
It may be that your /etc/krb5.keytab file contains old information,
where the principal may have been encrypted with an old key. I would
start by recreating both the ldap/passrlsrv.passrl at PASSRL principal, and
the xav at PASSRL principal, and reexporting your /etc/krb5.keytab.
Concerning the absent @PASSRL in your service ticket, I don't know that
that's necessarily an error. I've encountered that myself when talking
to a Windows 2003 AD/LDAP server:
https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/2008-November/001579.html
- Dan
More information about the Cyrus-sasl
mailing list