|OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Common Errors : GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied;|
This message means that slapd is not running as root and, thus, it cannot get its Kerberos 5 key from the keytab, usually file /etc/krb5.keytab.
A keytab file is used to store keys that are to be used by services or daemons that are started at boot time. It is very important that these secrets are kept beyond reach of intruders.
That's why the default keytab file is owned by root and protected from being read by others. Do not mess with these permissions, build a different keytab file for slapd instead.
To do this, start kadmin, and enter the following commands:
export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"Set that environment variable on the slapd start script (RedHat users might find /etc/sysconfig/ldap a perfect place).
This only works if you are using MIT kerberos. It doesn't work with Heimdal, for instance.
In Heimdal there is a function gsskrb5_register_acceptor_identity() that sets the path of the keytab file you want to use. In Cyrus SASL 2 you can add
keytab: /path/to/fileto your application's SASL config file to use this feature. This only works with Heimdal.
KRB5_KTNAME should be placed in /etc/sysconfig/slapd without the export keyword on Fedora and Red Hat Enterprise Linux systems since systemd init system is used. (This means Fedora 16 and RHEL 7.)
|[Append to This Answer]|
|Previous:||daemon: socket() failed errno=97 (Address family not supported)|
|Next:||access from unknown denied|