SASL + Kerberos + OpenLDAP issue
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Mar 2 16:52:12 EST 2009
OK, so you know what's on the server.
On your client (after a failure) do a "klist -e". If there is a
matching enctype with a server's keytab entry, then do a "kvno
<service principal>" and see if that entry's kvno also matches.
Some procedures for extracting keytab files will increment the kvno
(and generate new keys) behind your back.
On Feb 28, 2009, at 6:28 AM, xavier.ambrosioni at cinema-voiron.fr wrote:
> Hi,
>
> I tried to delete, recreate and export my service principals but it
> did not solve my problem. I have already the same error.
>
> More details on my configuration:
> - My server is running ubuntu with heimdal kdc.
> - My client is a mac running leopard 10.5.6 with mit kerberos (if
> I'm right)
>
> I created the service principals on my kdc then export to the keytab
> on my server, then I copied to keytab to my client.
> Below the result of 'ktutil list' command:
>
> on my server:
> root at passrlsrv:~# ktutil list
> FILE:/etc/krb5.keytab:
>
> Vno Type Principal
> 1 des-cbc-md5 ldap/passrlsrv.passrl at PASSRL
> 1 des-cbc-md4 ldap/passrlsrv.passrl at PASSRL
> 1 des-cbc-crc ldap/passrlsrv.passrl at PASSRL
> 1 aes256-cts-hmac-sha1-96 ldap/passrlsrv.passrl at PASSRL
> 1 des3-cbc-sha1 ldap/passrlsrv.passrl at PASSRL
> 1 arcfour-hmac-md5 ldap/passrlsrv.passrl at PASSRL
> 1 des-cbc-md5 ldap/passrlsrv at PASSRL
> 1 des-cbc-md4 ldap/passrlsrv at PASSRL
> 1 des-cbc-crc ldap/passrlsrv at PASSRL
> 1 aes256-cts-hmac-sha1-96 ldap/passrlsrv at PASSRL
> 1 des3-cbc-sha1 ldap/passrlsrv at PASSRL
> 1 arcfour-hmac-md5 ldap/passrlsrv at PASSRL
>
>
> on my client:
> imac:/etc root# ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 ldap/passrlsrv.passrl at PASSRL
> 2 1 ldap/passrlsrv.passrl at PASSRL
> 3 1 ldap/passrlsrv.passrl at PASSRL
> 4 1 ldap/passrlsrv.passrl at PASSRL
> 5 1 ldap/passrlsrv.passrl at PASSRL
> 6 1 ldap/passrlsrv.passrl at PASSRL
> 7 1 ldap/passrlsrv at PASSRL
> 8 1 ldap/passrlsrv at PASSRL
> 9 1 ldap/passrlsrv at PASSRL
> 10 1 ldap/passrlsrv at PASSRL
> 11 1 ldap/passrlsrv at PASSRL
> 12 1 ldap/passrlsrv at PASSRL
>
> Do you think that there is an incompatibility between heimdal kdc
> and mit client ?
> Is it possible for instance that the server uses the aes256-cts-hmac-
> sha1-96 key and the client another one ?
>
>
> Thank you
> Xavier
>
>
> On Fri 27/02/09 20:59 , Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
>>> Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure:
>> GSSAPI
>>> Error: Miscellaneous failure (see text) (Decrypt integrity check
>>> failedxt))
>> "Decrypt integrity check failed" means that the service key in your
>> KDC
>> doesn't match the service key stored in the keytab. You should
>> rekey
>> your server (and make sure you re-kinit AFTER you do that so you get
>> a new
>> service ticket that matches your service key).
>> --Ken
>>
>>
> http://www.celeonet.fr
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Cyrus-sasl
mailing list