SASL + Kerberos + OpenLDAP issue

Henry B. Hotz hotz at jpl.nasa.gov
Mon Mar 2 16:52:12 EST 2009 

OK, so you know what's on the server.

On your client (after a failure) do a "klist -e".  If there is a  
matching enctype with a server's keytab entry, then do a "kvno  
<service principal>" and see if that entry's kvno also matches.

Some procedures for extracting keytab files will increment the kvno  
(and generate new keys) behind your back.

On Feb 28, 2009, at 6:28 AM, xavier.ambrosioni at cinema-voiron.fr wrote:

> Hi,
>
> I tried to delete, recreate and export my service principals but it  
> did not solve my problem. I have already the same error.
>
> More details on my configuration:
> - My server is running ubuntu with heimdal kdc.
> - My client is a mac running leopard 10.5.6 with mit kerberos (if  
> I'm right)
>
> I created the service principals on my kdc then export to the keytab  
> on my server, then I copied to keytab to my client.
> Below the result of 'ktutil list' command:
>
> on my server:
>  root at passrlsrv:~# ktutil list
> FILE:/etc/krb5.keytab:
>
> Vno  Type                     Principal
>  1  des-cbc-md5              ldap/passrlsrv.passrl at PASSRL
>  1  des-cbc-md4              ldap/passrlsrv.passrl at PASSRL
>  1  des-cbc-crc              ldap/passrlsrv.passrl at PASSRL
>  1  aes256-cts-hmac-sha1-96  ldap/passrlsrv.passrl at PASSRL
>  1  des3-cbc-sha1            ldap/passrlsrv.passrl at PASSRL
>  1  arcfour-hmac-md5         ldap/passrlsrv.passrl at PASSRL
>  1  des-cbc-md5              ldap/passrlsrv at PASSRL
>  1  des-cbc-md4              ldap/passrlsrv at PASSRL
>  1  des-cbc-crc              ldap/passrlsrv at PASSRL
>  1  aes256-cts-hmac-sha1-96  ldap/passrlsrv at PASSRL
>  1  des3-cbc-sha1            ldap/passrlsrv at PASSRL
>  1  arcfour-hmac-md5         ldap/passrlsrv at PASSRL
>
>
> on my client:
> imac:/etc root# ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ----  
> ---------------------------------------------------------------------
>   1    1             ldap/passrlsrv.passrl at PASSRL
>   2    1             ldap/passrlsrv.passrl at PASSRL
>   3    1             ldap/passrlsrv.passrl at PASSRL
>   4    1             ldap/passrlsrv.passrl at PASSRL
>   5    1             ldap/passrlsrv.passrl at PASSRL
>   6    1             ldap/passrlsrv.passrl at PASSRL
>   7    1                    ldap/passrlsrv at PASSRL
>   8    1                    ldap/passrlsrv at PASSRL
>   9    1                    ldap/passrlsrv at PASSRL
>  10    1                    ldap/passrlsrv at PASSRL
>  11    1                    ldap/passrlsrv at PASSRL
>  12    1                    ldap/passrlsrv at PASSRL
>
> Do you think that there is an incompatibility between heimdal kdc  
> and mit client ?
> Is it possible for instance that the server uses the aes256-cts-hmac- 
> sha1-96 key and the client another one ?
>
>
> Thank you
> Xavier
>
>
> On Fri 27/02/09 20:59 , Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
>>> Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure:
>> GSSAPI
>>> Error:  Miscellaneous failure (see text) (Decrypt integrity check
>>> failedxt))
>> "Decrypt integrity check failed" means that the service key in your
>> KDC
>> doesn't match the service key stored in the keytab.  You should
>> rekey
>> your server (and make sure you re-kinit AFTER you do that so you get
>> a new
>> service ticket that matches your service key).
>> --Ken
>>
>>
> http://www.celeonet.fr

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Cyrus-sasl mailing list