GSSAPI / SASL problems of sasl2-bin on Ubuntu 10.04.4

Dan White dwhite at olp.net
Fri Jul 6 11:54:30 EDT 2012


On 07/06/12 23:11 +0800, John Mok wrote:
>Hi,
>
>I have succeeded using GSSAPI SASL for OpenLDAP + Postfix access on 
>Ubuntu 8.04.4. When I made the same setup on Ubuntu 10.04.4 :-

Your postfix process is retrieving information, such as postmaps, from an
openldap server, using gssapi authentication? Or are you retreiving your
postmaps from an Active Directory server?

>>ldapwhoami -Y GSSAPI
>
>it returned an error (80).
>
>sasl2-bin 2.1.23
>libsasl2-modules 2.1.23
>libsasl2-modules-gssapi-heimdal 2.1.23
>
>When I tried libsasl2-modules-gssapi-mit, it returned (key table 
>entry not found). When I tried libsasl2-modules-gssapi-heimdal, it 
>returned "No credentials were supplied, or the credentials were 
>unavailable or inaccessible ...". I checked with ktutil list and it 
>listed the kerberos principals from Windows 2003 correctly.

for the client side ldapwhoami attempt, try:

klist (verify that you have a TGT)

ldapwhoami -O maxssf=0 -Y GSSAPI ...

and use wireshark to capture the interaction, which will show you any
errors that the KDC may be providing over the network.

adding '-d -1' may also be helpful. Check your syslog output (auth
facility) for any sasl errors.

Is the keytab file being used by postfix, by openldap, or both?

Where is your keytab file located? If it is not located in
/etc/krb5.keytab, then you will need to add some configuration for the
gssapi plugin to find its location. If using the heimdal plugin,
create a sasl config file (e.g. /usr/lib/sasl2/slapd.conf) with:

keytab: /path/to/file.keytab

If you're using the mit plugin, you'll specify the location using the
KRB5_KTNAME environment variable.

-- 
Dan White


More information about the Cyrus-sasl mailing list