[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with SASL authentication and Kerberos

To: Jeffrey Layton <jtlayton@poochiereds.net>, openldap-software@OpenLDAP.org
Subject: Re: problem with SASL authentication and Kerberos
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 08 Apr 2004 11:42:13 -0700
Content-disposition: inline
In-reply-to: <1081445615.23921.48.camel@tesla.mmt.bellhowell.com>
References: <1081359553.20633.35.camel@tesla.mmt.bellhowell.com> <1081445615.23921.48.camel@tesla.mmt.bellhowell.com>

--On Thursday, April 08, 2004 1:33 PM -0400 Jeffrey Layton <jtlayton@poochiereds.net> wrote:

On Wed, 2004-04-07 at 13:39, Jeffrey Layton wrote:

I have a rather odd situation with OpenLDAP, GSSAPI, and SASL. I
recently changed my Kerberos KDC from MIT kerberos to Heimdal, and at
the same time, changed my Kerberos realm name. Prior to this I had
everything working fine.


With a hint, I figured out the problem. I had changed everything over
except for the reverse lookups in my DNS domain. Those still pointed
to the old domain. When I fixed that, the krbtgt request problem was
fixed. Moral of this story: DNS matters when dealing with
LDAP/SASL/GSSAPI.

Yes, if you read the K5 RFC, you will understand why that is. ;) I read it over when helping Digant with his GSSAPI issues, and it explains a lot...

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- problem with SASL authentication and Kerberos
  - From: Jeffrey Layton <jtlayton@poochiereds.net>
- Re: problem with SASL authentication and Kerberos
  - From: Jeffrey Layton <jtlayton@poochiereds.net>

Prev by Date: RE: sasl-host ignored in GSSAPI authentication
Next by Date: Re: programming using ldap api calls
Index(es):
- Chronological
- Thread