[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds

"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
41210F4D.2030904@opentechnet.com">news:41210F4D.2030904@opentechnet.com...
> Robert wrote:
>
>     There should be something more in the logs indicating the cause of
> the errors... a few things that may cause this... not using the
> canonical name of the machine, slapd not having access to the keytabs...
>

I am at the end of my rope here.  The logs don't show anything else apart
from [reason=saslauthd internal error].

saslauthd -d -V -m /var/run/saslauthd -a kerberos5
saslauthd[27157] :main            : num_procs  : 5
saslauthd[27157] :main            : mech_option: NULL
saslauthd[27157] :main            : run_path   : /var/run/saslauthd
saslauthd[27157] :main            : auth_mech  : kerberos5
saslauthd[27157] :ipc_init        : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[27157] :detach_tty      : master pid is: 0
saslauthd[27157] :ipc_init        : listening on socket:
/var/run/saslauthd/mux
saslauthd[27157] :main            : using process model
saslauthd[27157] :have_baby       : forked child: 27158
saslauthd[27157] :have_baby       : forked child: 27159
saslauthd[27157] :have_baby       : forked child: 27160
saslauthd[27157] :have_baby       : forked child: 27161
saslauthd[27157] :get_accept_lock : acquired accept lock
saslauthd[27157] :rel_accept_lock : released accept lock
saslauthd[27158] :get_accept_lock : acquired accept lock
saslauthd[27157] :do_auth         : auth failure: [user=user] [service=ldap]
[realm=KERBEROS.REALMNAME] [mech=kerberos5] [reason=saslauthd internal
error]

On the kerberos side, I get

Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: NEEDED_PREAUTH: user@KERBEROS.REALM for
krbtgt/KERBEROS.REALM@KERBEROS.REALM, Additional pre-authentication required
Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: NEEDED_PREAUTH: user@KERBEROS.REALM for
krbtgt/KERBEROS.REALM@KERBEROS.REALM, Additional pre-authentication required
Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: ISSUE: authtime 1092721841, etypes {rep=16 tkt=16
ses=16}, user@KERBEROS.REALM for krbtgt/KERBEROS.REALM@KERBEROS.REALM
Aug 17 00:50:41 Pianta-Scramble krb5kdc[750](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.0.1: ISSUE: authtime 1092721841, etypes {rep=16 tkt=16
ses=16}, user@KERBEROS.REALM for krbtgt/KERBEROS.REALM@KERBEROS.REALM


The bad thing is that the finish line is right in front of me but I can't
cross it.  I can do everything kerberos-wise.  I can kinit, klist, kpasswd
as the user.  Testsaslauthd still fails.

Please help.