[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Problem with SASL/Kerberos5

Hi,

I'm trying to authenticate to OpenLDAP using libsasl2-gssapi-mit. So I
wrote in /etc/default/saslauthd:

----- /etc/default/saslauthd -----------------------
START=yes
MECHANISMS="kerberos5"
----------------------------------------------------

And here is my ldap.conf:

----- /etc/ldap/ldap.conf --------------------------
URI             ldap://purcell.kerberos.mgoetze.net/
BASE            dc=mgoetze,dc=net
TLS_CACERT      /etc/ssl/certs/cacert.pem
----------------------------------------------------

Here is what happens:

----- Shell Session --------------------------------
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze@KERBEROS.MGOETZE.NET

Valid starting     Expires            Service principal
11/17/06 19:43:27  11/18/06 05:43:27  krbtgt/KERBEROS.MGOETZE.NET@KERBEROS.MGOETZE.NET
        renew until 11/18/06 19:43:24
% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
failure (Permission denied)
% klist -5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mgoetze@KERBEROS.MGOETZE.NET

Valid starting     Expires            Service principal
11/17/06 19:43:27  11/18/06 05:43:27  krbtgt/KERBEROS.MGOETZE.NET@KERBEROS.MGOETZE.NET
        renew until 11/18/06 19:43:24
11/17/06 19:50:55  11/18/06 05:43:27  ldap/purcell.kerberos.mgoetze.net@KERBEROS.MGOETZE.NET
        renew until 11/18/06 19:43:24
----------------------------------------------------

Here is what auth.log says about this incident:

----- /var/log/auth.log ----------------------------
Nov 17 19:50:55 localhost slapd[4645]: OTP unavailable because can't read/write
key database /etc/opiekeys: No such file or directory
Nov 17 19:50:55 localhost krb5kdc[3088]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
10.211.55.3: ISSUE: authtime 1163789007, etypes {rep=16 tkt=16 ses=16}, mgoetze@
KERBEROS.MGOETZE.NET for ldap/purcell.kerberos.mgoetze.net@KERBEROS.MGOETZE.NET
----------------------------------------------------

Based on my logs, the problem doesn't seem to be in slapd (so I won't
bother you with my slapd.conf unless someone asks), but in saslauthd.
I tried running saslauthd in debug mode but unfortunately it is entirely
unhelpful. (Would gsasl be an alternative, since cyrus-sasl is such
a pain?)

Can anyone tell me what I'm doing wrong, or at least how to get saslauthd
to tell me what I'm doing wrong?

Thanks in advance,
Michael
Reply to: