Re: ldapsearch using GSSAPI failed to run from other machine ...

[Dan White <dwhite@olp.net>]

On 10/02/10 23:41 -0600, huican ping wrote:
> This is a dummy question. I just newly contacted with sasl+krb5 with
> ldap. Can anyone else kindly people tell me how to make ldapsearch
> working from other machine? E.g, what kind of setup/procedure I should
> do on the other machine before I can do ldapsearch with gssapi
> effectively?

http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi

> Output when run on the different machine
> =============================
> /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001
> -Y gssapi -U admin  -b "sn=admin,ou=People,o=Acme" '(objectclass=*)'
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>        additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information
> (Unknown code krb5 7)

I don't know what "Unknown code krb5 7" means, but I would make sure:

You have a local credentials cache (klist)
You have received a ticket for the LDAP service pricipal
You are referencing the server using the same name as its service principal
You have forward and reverse DNS setup for both the server and client

I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend
referencing the server by DNS name, unless the server really is using a
service principal with that IP address.

--
Dan White