[Date Prev][Date Next] [Chronological] [Thread] [Top]

KrbV5, KPASSWD, Invalid credentials, Unable to locate KDC (ITS#1520)

To: openldap-its@OpenLDAP.org
Subject: KrbV5, KPASSWD, Invalid credentials, Unable to locate KDC (ITS#1520)
From: ah@e-i.dk
Date: Wed, 9 Jan 2002 16:09:50 GMT

Full_Name: Asger Henriksen
Version: CVS HEAD
OS: Linux Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.129.28.242)


FYI

After unsuccessfully trying to get LDAPv3+SASL+KrbV5+SSL/TSL etc to work from
the
fine HOWTO on www.bayour.com, I finally tracked the error to the KPASSWD
section
of the code. Debug showed that kerberos returned "Unable to locate KDC", from
the
krb5_get_init_creds_password call in passwd.c in libraries/liblutil

I know Kerberos was working, because I have used it for a while, and used the
same
setup to develop GSSAPI bindings for the Intermezzo Filesystem.

It seemed the krb5 call was unable to derive the realm from the userPassword
field,
so, which was formatted as {KERBEROS}user@<MY-REALM>. I verified that the
user@<MY-REALM> was correctly extracted to the krb5_parse_name call.

 I added a call to 
krb5_set_principal_realm(context,client,<MY-REALM>)

after the krb5_parse_name call.

After this, it worked.

My ldap.conf and slapd.conf both had a sasl-realm <MY-REALM> entry.

I have tried several versions of OpenLDAP without luck. My debuging was done
against CVS HEAD on 08/01-2002

Regards, 
Asger Henriksen

Prev by Date: RE: NDS/Active-Directory Replication with OpenLDAP (ITS#1519)
Next by Date: No Such Object ... (ITS#1521)
Index(es):
- Chronological
- Thread