[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)



Title: mail Kezia : Fabien COMBERNOUS
Hi there,

Thank you Dan to provide help.

On 07/07/2011 17:10, Dan White wrote:
On 05/07/11 17:52 +0200, Fabien COMBERNOUS wrote:
Hi There,

I have an openldap master (hosted by server) and an openldap replica (hosted by replica). Authentication use SASL/GSSAPI with kerberos.

On the master i get the following output :
server:~ admin$ kinit root
Please enter the password for root@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)

What does your /etc/ldap.conf and ~/.ldaprc look like?

You might try adding a '-d -1' to your ldapsearch command for additional
debugging information.
With the debug i get the following message

res_errno: 80, res_error: <SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)>, res_matched: <>

(Remark : As information i provide the entire debug at the end of this message)

Because of the message "keytable entry not found", i tried to use kadmin and check if principle with root exists. But by using kadmin i get now this message :
server:~ admin$ kadmin -p root@SERVER.LAN
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principal root@SERVER.LAN with password.
Password for root@SERVER.LAN:
kadmin: Communication failure with server while initializing kadmin interface
server:~ admin$

I check the logfile owner, group owner, and permission. Then i compared with one other kerberos server. Permission and owner was different. I set permission identically. But nothing was changed.

With kadmin.local i checked and root@SERVER.LAN exists in the list.

So it looks more a kerberos issues than a ldap one.

Regards,


PS :
server:~ admin$ kinit root
Please enter the password for root@SERVER.LAN:
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: root@SERVER.LAN

Valid Starting     Expires            Service Principal
07/07/11 17:50:19  07/08/11 03:50:09  krbtgt/SERVER.LAN@SERVER.LAN
    renew until 07/14/11 17:50:19


server:~ admin$ ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
ldap_create
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0x100117f70 msgid 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 1 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
   Empty
  ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-entry
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
 * msgid 1,  type 100
  ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg:  mark request completed, ld 0x100117f70 msgid 1
request done: ld 0x100117f70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
adding response ld 0x100117f70 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: CRAM-MD5 GSSAPI
ldap_int_sasl_bind: CRAM-MD5 GSSAPI
ldap_int_sasl_open: host=server.lan
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 703 bytes to sd 3
ldap_result ld 0x100117f70 msgid 2
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 2 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 2 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
   Empty
  ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
read1msg: ld 0x100117f70 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg:  mark request completed, ld 0x100117f70 msgid 2
request done: ld 0x100117f70 msgid 2
res_errno: 80, res_error: <SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: root@SERVER.LAN

Valid Starting     Expires            Service Principal
07/07/11 17:50:19  07/08/11 03:50:09  krbtgt/SERVER.LAN@SERVER.LAN
    renew until 07/14/11 17:50:19

07/07/11 17:51:40  07/08/11 03:50:09  ldap/SERVER.LAN@SERVER.LAN
    renew until 07/14/11 17:50:19



--
Fabien COMBERNOUS
unix system engineer
www.kezia.com
Tel: +33 (0) 467 992 986
Kezia Group