SASL + Kerberos + OpenLDAP issue
xavier.ambrosioni at cinema-voiron.fr
xavier.ambrosioni at cinema-voiron.fr
Sat Feb 28 09:28:25 EST 2009
Hi,
I tried to delete, recreate and export my service principals but it did not solve my problem. I have already the same error.
More details on my configuration:
- My server is running ubuntu with heimdal kdc.
- My client is a mac running leopard 10.5.6 with mit kerberos (if I'm right)
I created the service principals on my kdc then export to the keytab on my server, then I copied to keytab to my client.
Below the result of 'ktutil list' command:
on my server:
root at passrlsrv:~# ktutil list
FILE:/etc/krb5.keytab:
Vno Type Principal
1 des-cbc-md5 ldap/passrlsrv.passrl at PASSRL
1 des-cbc-md4 ldap/passrlsrv.passrl at PASSRL
1 des-cbc-crc ldap/passrlsrv.passrl at PASSRL
1 aes256-cts-hmac-sha1-96 ldap/passrlsrv.passrl at PASSRL
1 des3-cbc-sha1 ldap/passrlsrv.passrl at PASSRL
1 arcfour-hmac-md5 ldap/passrlsrv.passrl at PASSRL
1 des-cbc-md5 ldap/passrlsrv at PASSRL
1 des-cbc-md4 ldap/passrlsrv at PASSRL
1 des-cbc-crc ldap/passrlsrv at PASSRL
1 aes256-cts-hmac-sha1-96 ldap/passrlsrv at PASSRL
1 des3-cbc-sha1 ldap/passrlsrv at PASSRL
1 arcfour-hmac-md5 ldap/passrlsrv at PASSRL
on my client:
imac:/etc root# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 ldap/passrlsrv.passrl at PASSRL
2 1 ldap/passrlsrv.passrl at PASSRL
3 1 ldap/passrlsrv.passrl at PASSRL
4 1 ldap/passrlsrv.passrl at PASSRL
5 1 ldap/passrlsrv.passrl at PASSRL
6 1 ldap/passrlsrv.passrl at PASSRL
7 1 ldap/passrlsrv at PASSRL
8 1 ldap/passrlsrv at PASSRL
9 1 ldap/passrlsrv at PASSRL
10 1 ldap/passrlsrv at PASSRL
11 1 ldap/passrlsrv at PASSRL
12 1 ldap/passrlsrv at PASSRL
Do you think that there is an incompatibility between heimdal kdc and mit client ?
Is it possible for instance that the server uses the aes256-cts-hmac-sha1-96 key and the client another one ?
Thank you
Xavier
On Fri 27/02/09 20:59 , Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
> > Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure:
> GSSAPI
> > Error: Miscellaneous failure (see text) (Decrypt integrity check
> > failedxt))
> "Decrypt integrity check failed" means that the service key in your
> KDC
> doesn't match the service key stored in the keytab. You should
> rekey
> your server (and make sure you re-kinit AFTER you do that so you get
> a new
> service ticket that matches your service key).
> --Ken
>
>
http://www.celeonet.fr
More information about the Cyrus-sasl
mailing list