[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch using GSSAPI failed to run from other machine ...

On 10/02/10 23:41 -0600, huican ping wrote:
This is a dummy question. I just newly contacted with sasl+krb5 with
ldap. Can anyone else kindly people tell me how to make ldapsearch
working from other machine? E.g, what kind of setup/procedure I should
do on the other machine before I can do ldapsearch with gssapi


Output when run on the different machine
/tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h -p 9001
-Y gssapi -U admin  -b "sn=admin,ou=People,o=Acme" '(objectclass=*)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
       additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information
(Unknown code krb5 7)

I don't know what "Unknown code krb5 7" means, but I would make sure:

You have a local credentials cache (klist)
You have received a ticket for the LDAP service pricipal
You are referencing the server using the same name as its service principal
You have forward and reverse DNS setup for both the server and client

I'm guessing that '-h' is incorrect. I would recommend
referencing the server by DNS name, unless the server really is using a
service principal with that IP address.

Dan White