[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds

To: Robert <Robertedstrom@yahoo.com>
Subject: Re: LDAP + Kerberos not allowing simple binds
From: Howard Chu <hyc@symas.com>
Date: Wed, 18 Aug 2004 23:12:47 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <cg138i$i7f$1@sea.gmane.org>
References: <cfjfh0$cal$1@sea.gmane.org> <411E29BE.6050002@opentechnet.com> <cflbqr$dql$1@sea.gmane.org> <411E3889.5080205@opentechnet.com> <cfle8n$io6$1@sea.gmane.org> <411E7C85.2090002@opentechnet.com> <cfp144$jjp$1@sea.gmane.org> <41210F4D.2030904@opentechnet.com> <cfs79d$umn$1@sea.gmane.org> <41234436.9080604@opentechnet.com> <cg138i$i7f$1@sea.gmane.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040714

Robert wrote:

"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message 41234436.9080604@opentechnet.com">news:41234436.9080604@opentechnet.com...

Robert wrote:

   Sorry, but I don't know what else you would check... from my
experience those internal errors are produced by some misconfiguration.
Common causes for this: service ticket not found in keytab, server not
able to access to keytab, using an alias instead of the canonical name
of the machine, name of the machine not correctly configured in DNS
(forward and reverse resolution needed),...


Jose, I finally figured out what it was.  I was also following the thread
from the sasl list:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6053.
Apparently, James Madill was having the exact same problem that I had.
There was a suggestion to run kinit -k.  I did that and I got an error
saying that the principal wasn't found.  To my surprise the missing
principal turned out to be host/pianta-scramble.  Shouldn't it be
host/pianta-scramble.fully-qualified.domain-name?

My /etc/hosts file contails
127.0.0.1               pianta-scramble localhost.localdomain localhost

Entries in /etc/hosts are always supposed to list the FQDN first on any line. The resolver library always treats the first name listed as the canonical name, and everything else as an alias. Since you didn't list the .fully-qualified.domain-name here, that simple name is what you got.

My dns server has both forward and reverse mappings. A lookup on the ip address on the machine returns the fully qualified domain name of the machine. Is yours configured with the fully qualified domain name?

When an entry exists in /etc/hosts then DNS is not consulted at all. (Assuming your resolver is configured to use files before DNS.)

All of this is basic Unix system administration, and not relevant to OpenLDAP Software. The Kerberos/SASL topics don't belong on this list either, there are Kerberos and SASL mailing lists for those. But before you spend any time on those topics, I suggest you learn more about how to operate a Unix system.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>

References:
- LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP + Kerberos not allowing simple binds
  - From: "Robert" <Robertedstrom@yahoo.com>

Prev by Date: Existing AD, how to handle suffix for new OpenLDAP install?
Next by Date: Re: Newbie search question - Help!
Index(es):
- Chronological
- Thread