[Date Prev][Date Next]
Re: LDAP + Kerberos not allowing simple binds
"Jose Gonzalez Gomez" <firstname.lastname@example.org> wrote in messageEntries in /etc/hosts are always supposed to list the FQDN first on any
line. The resolver library always treats the first name listed as the
canonical name, and everything else as an alias. Since you didn't list
the .fully-qualified.domain-name here, that simple name is what you got.
Sorry, but I don't know what else you would check... from my
experience those internal errors are produced by some misconfiguration.
Common causes for this: service ticket not found in keytab, server not
able to access to keytab, using an alias instead of the canonical name
of the machine, name of the machine not correctly configured in DNS
(forward and reverse resolution needed),...
Jose, I finally figured out what it was. I was also following the thread
from the sasl list:
Apparently, James Madill was having the exact same problem that I had.
There was a suggestion to run kinit -k. I did that and I got an error
saying that the principal wasn't found. To my surprise the missing
principal turned out to be host/pianta-scramble. Shouldn't it be
My /etc/hosts file contails
127.0.0.1 pianta-scramble localhost.localdomain localhost
My dns server has both forward and reverse mappings. A lookup on the ipWhen an entry exists in /etc/hosts then DNS is not consulted at all.
(Assuming your resolver is configured to use files before DNS.)
address on the machine returns the fully qualified domain name of the
machine. Is yours configured with the fully qualified domain name?
All of this is basic Unix system administration, and not relevant to
OpenLDAP Software. The Kerberos/SASL topics don't belong on this list
either, there are Kerberos and SASL mailing lists for those. But before
you spend any time on those topics, I suggest you learn more about how
to operate a Unix system.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support