[Date Prev][Date Next]
Re: Heimdal-Kerberos service
--On Thursday, February 16, 2006 6:35 PM +0100 firstname.lastname@example.org wrote:
Here is something that might deserve a note in the "11.2.1. GSSAPI"
section of the sysadmin guide.
$ ldapwhoami -H ldap://db -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
In the "slapd" log, one can see that a "kvno 1" is looked for:
2006-02-16_14:03:12.81305 SASL [conn=0] Failure: GSSAPI Error:
Miscellaneous failure (see text) (failed to find
ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG(kvno 1) in keytab
But it's version "2" in the keytab file:
I'm guessing this was cached in YOUR ticket cache file. See "klist". You
need to renew your kerberos tickets after updating the keytab on the server
if a ticket from the previous kvno exists in your ticket cache.
Note that this is NOT an LDAP question but a Kerberos question.
1. Why is the "ldap" part in the principal name
hard-coded? [I had tried with another "prefix", and being stuck
until told, on the "cyrus-sasl" ML, that I couldn't.]
Because the first part is for the service being used? (i.e., ldap for the
2. Why can't the "kvno" be changed?
See above. I suggest directing further questions about how kerberos
operations to a suitable kerberos related list.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html