Server ldap/localhost at EXAMPLE.COM not found in Kerberos database
Jaap Winius
jwinius at umrk.nl
Thu Apr 13 18:19:12 EDT 2017
Hi folks,
My question is with regard to an error that I get on an OpenLDAP
consumer server that uses Kerberos to authenticate to a provider:
slapd[1668]: GSSAPI Error: Unspecified GSS failure. \
Minor code may provide more information \
(Server ldap/localhost at EXAMPLE.COM not found in Kerberos database)
Software versions:
Operating system: Debian 9 (stretch)
OpenLDAP slapd: 2.4.44
Kerberos krb5-user: 1.15
libsasl2-modules-gssapi-mit: 2.1.27~101-g0780600+dfsg-3
There's a Kerberos key table with keys for an
ldap/srv4.example.com at EXAMPLE.COM principal that's used for slapd and
k5start is used to to maintain the Kerberos ticket cache for it. That
all works fine.
Furthermore, the hostname for the system, srv4, is configured
correctly, there's almost nothing in /etc/hosts (just '127.0.0.1
localhost' and a few IPv6 linklocal lines), and the forward and
reverse DNS entries for this host all refer to srv4.example.com (for
IPv4 and IPv6).
In /etc/default/slapd I was at first using a statement that said:
export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab
But, when I couldn't get rid of the error in question, I changed
things around a bit and commented out the line or tried this (the
default):
export KRB5_KTNAME=/etc/krb5.keytab
Alas, nothing seems to make a difference and slapd insists on
authenticating itself to the slapd provider as
ldap/localhost at EXAMPLE.COM, which doesn't work.
Could this be a bug? If so, this there a workaround?
Cheers,
Jaap
PS -- If I've come to the wrong place to ask this question, my
apologies and I would appreciate any hints as to where I should take
this instead.
More information about the Cyrus-sasl
mailing list