On Thursday 30 June 2005 06:09 am, Eugen Wintersberger wrote: > Hi there > I have a problem with slapd using Kerberos V (GSSAPI) authentification > on Debian 3.1 Sarge. The Kerberos configuration seems to be ok since > cyrus imap daemon uses it without any problems. > > I also added the appropriate principals to my Kerberos database and to > the krb5.keytab file: > > ldap/hubbard.hlphys.uni-linz.ac.at@HLPHYS.UNI-LINZ.AC.AT > ldap/localhost@HLPHYS.UNI-LINZ.AC.AT > > After getting my TGT with > > > kinit admin > > I tried a simple > > > ldapwhoami -h hubbard.hlphys.uni-linz.ac.at > > and got the following error message > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (No principal in keytab matches desired name) > > I got a similar error with cyrus imapd before I changed the "servername" > variable in imapd.conf to the hostname. > Has anyone an idea what I'm doing wrong? > > thanks > > Eugen > > > -- > Eugen Wintersberger <eugen.wintersberger@gmx.net> Try adding ldap/<yourFQDN>@<KERBDOMAIN> to the keytab -- also make certain that slapd can read the keytab that contains everything relevant to it, to do this without compromising the main keytab you have to add an override in /etc/default/slapd , for example something like: # Kerberos ticket configuration export KRB5_KTNAME=/etc/ldap/ldap.keytab I'm guessing, mostly -- I have an LDAPS/Kerberos implementation working here, but it was a nightmare to set up. The most important things to check, I've found, are the FQDNs of all the systems involved -- both LDAP and Kerberos are very, very picky about them. -- Ryan Schultz -> floating point exception: divide by cucumber
Attachment:
pgp3UNr_1fmKP.pgp
Description: PGP signature