[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Failure: gss_accept_sec_context

Yes I'd REALLY like to see this addressed as I have been fighting the
problem for a week now. I using SASLv2/MIT KRB5. All the principles are
in order and the kerberos is working as expected. I'm not exaclty sure
if I should be using saslauthd and it doesn't look as though its even
being touched never the less I have it running `./saslauthd -a kerberos5
pam` 

Running:
Kinit rcmd/core3.domain.com
./sasl2-sample-server core3.domain.com (no service specified because the
test defaults to rcmd)
trying 10, 1, 6
socket: Address family not supported by protocol
trying 2, 1, 6
accepted new connection
send: {38}
LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
recv: {6}
GSSAPI
recv: {1}
Y
recv: {527}
`[82][2][B][6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][1][FA]0[82][1][F
6][A0][3][2][1][5][A1][3][2][1][E][A2][7][3][5][0]
[0][0][0][A3][82][1]&a[82][1]"0[82][1][1E][A0][3][2][1][5][A1][10][1B][E
}DOMAIN.COM[A2]'0%[A0][3][2][1][3][A1][1E]0[1C][1B][4]rcmd[1B][14]core3.
domain.com[A3][81][DB]0[81][D8][A0][3][2][1][1][A1][3][2][1][4][A2][81][
CB][4][81][C8][10][EA][84]?A#[A8][EB][C1]"Q3[CD][82]ux][8E]f[A9][AC]X[85
][C6][A0]piT[C9]Z[E][E0]y`[94]<[9D][C9][A5][C6][AC]J7)P8[D9][BA][C6]][A7
][AB][D1][12][F2][1A]I8[16]?0[82][B8]u*[B2][AC]3[7F][14][BD][F0]w[8E]R0[
11][D]6^[BD][93]DA[A8]5[EE][1D]d{[A8]T[FD][7F]rQ[9C][D]>[A4][1][E5][F][E
8][F7]P[A5][CE]7\[A2][F][5]6H[F4][83]j
starting SASL negotiation: authentication failureclosing connection

Kinit rcmd/core3.domain.com
./sasl2-sample-client core3.domain.com (again defaulting to rcmd)
receiving capability list... recv: {38}
LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
please enter an authorization id: rcmd (tried every variation)
(rcmd/core3.domain.com))
send: {6}
GSSAPI
send: {1}
Y
send: {527}
`[82][2][B][6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][1][FA]0[82][1][F
6][A0][3][2][1][5][A1][3][2][1][E][A2][7][3][5][0]
[0][0][0][A3][82][1]&a[82][1]"0[82][1][1E][A0][3][2][1][5][A1][10][1B][E
]DOMAIN.COM[A2]'0%[A0][3][2][1][3][A1][1E]0[1C][1B][4]rcmd[1B][14]core3.
domain.com[A3][81][DB]0[81][D8][A0][3][2][1][1][A1][3][2][1][4][A2][81][
CB][4][81][C8][10][EA][84]?A#[A8][EB][C1]"Q3[CD][82]ux[D4]E[CC][B5][B5]o
[9]Z[B2]-[FA][C9][94][C8]7@[CC][8D]wZE[D2]5z+[86][C8][CC][8A]h[98][A5]A|
[12][BC][A1]v)r[97]a[4][F5][AE]{[B1][F9][81][DE][D8][4][95][C7][C7][81][
81][C5]\Z[E6]N=[2][9E][C0]y[1A][BF][FD][10][7]?+[AC]3[FF][C6][C9][F2][E3
][83]7C[17]9;[F0][EE]>$[8C][F4][A4][8C][EC]j[A2]_+[9C][AD][E0]4p`[9B]s[1
3]C]\s[[CF][AA][9A][89][C5]n[7F]z&[C2]U[E][CD][EE][0][CE]F[BB]o[E2][FF]_
[9][E4]>d[A5][E2][C7]
authentication failed
closing connection

DEBUG LOG:
Mar  4 11:26:16 core3 sasl2-sample-server: GSSAPI Failure:
gss_accept_sec_context

KRB5KDC LOG:

\Mar 04 11:23:52 core1 krb5kdc[836](info): TGS_REQ (3 etypes {16 3 1})
10.11.1.12(88): ISSUE: authtime 1046804186, etypes {rep=16 tkt=1 ses=1},
rcmd/core3.domain.com@DOMAIN.COM for rcmd/core3.domain.com@DOMAIN.COM

I'm completely stumped! Can anyone shed a glimmer of hope for me. Thanks

Shane


>I'm now trying to get OpenLDAP v2.1.13 to work with KTH Heimdal KDC.
>
>I got the same thing once when I was trying MIT Kerberos V, but that
>time it was because I was running as 'root' with ticket for 'turbo'.
>This time, with Heimdal, I'm doing it as 'turbo' with ticket for
'turbo',
>so I'm stumped... Any idea anyone?
>
>----- s n i p -----
>turbo@majorskan:~$ kdestroy
>turbo@majorskan:~$ klist
>klist: No ticket file: /tmp/krb5cc_1000
>
>  V4-ticket file: /tmp/tkt1000
>klist: No ticket file (tf_util)
>turbo@majorskan:~$ file /tmp/krb5cc_1000
>/tmp/krb5cc_1000: can't stat `/tmp/krb5cc_1000' (No such file or
directory).
>turbo@majorskan:~$ kinit
>turbo@BAYOUR.COM's Password:
>kinit: converting creds: Cannot contact any KDC for requested realm
>turbo@majorskan:~$ klist
>Credentials cache: FILE:/tmp/krb5cc_1000
>        Principal: turbo@BAYOUR.COM
>
>  Issued           Expires          Principal
>Mar  3 09:51:28  Mar  3 19:51:23  krbtgt/BAYOUR.COM@BAYOUR.COM
>Mar  3 09:51:30  Mar  3 19:51:23  krbtgt/BAYOUR.COM@BAYOUR.COM
>
>
>   V4-ticket file: /tmp/tkt1000
>klist: No ticket file (tf_util)
>turbo@majorskan:~$ ldapsearch -U turbo -LLL -h majorskan objectclass=*
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
>turbo@majorskan:~$ klist
>Credentials cache: FILE:/tmp/krb5cc_1000
>        Principal: turbo@BAYOUR.COM
>
>
> Issued           Expires          Principal
>Mar  3 09:51:28  Mar  3 19:51:23  krbtgt/BAYOUR.COM@BAYOUR.COM
>Mar  3 09:51:30  Mar  3 19:51:23  krbtgt/BAYOUR.COM@BAYOUR.COM
>Mar  3 09:51:50  Mar  3 19:51:23  ldap/majorskan.bayour.com@BAYOUR.COM
>
>   V4-ticket file: /tmp/tkt1000
>klist: No ticket file (tf_util)
>----- s n i p -----