[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Heimdal-Kerberos service

--On Thursday, February 16, 2006 6:35 PM +0100 gilles@ffii.org wrote:


Here is something that might deserve a note in the "11.2.1. GSSAPI"
section of the sysadmin guide.


$ ldapwhoami -H ldap://db -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

In the "slapd" log, one can see that a "kvno 1" is looked for:

2006-02-16_14:03:12.81305 SASL [conn=0] Failure: GSSAPI Error:
Miscellaneous failure (see text) (failed to find
ldap/db.harfang.homelinux.org@HARFANG.HOMELINUX.ORG(kvno 1) in keytab
FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96))

But it's version "2" in the keytab file:

I'm guessing this was cached in YOUR ticket cache file. See "klist". You need to renew your kerberos tickets after updating the keytab on the server if a ticket from the previous kvno exists in your ticket cache.

Note that this is NOT an LDAP question but a Kerberos question.

1. Why is the "ldap" part in the principal name
   hard-coded? [I had tried with another "prefix", and being stuck
   until told, on the "cyrus-sasl" ML, that I couldn't.]

Because the first part is for the service being used? (i.e., ldap for the LDAP server?).

2. Why can't the "kvno" be changed?

See above. I suggest directing further questions about how kerberos operations to a suitable kerberos related list.


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html