I am using OpenLDAP 2.4.9 on Ubuntu Linux 8.04.1 with MIT Kerberos 1.6.3. Created a keytab file dedicated to slapd and set the path to it using the environment variable KRB5_KTNAME in my startup scripts. The file is owned by root and read-only by the openldap group. When I attempt to use ldapsearch with GSSAPI to login to slapd I get back a implementation error 80. Checking the server logs, slapd reported the following error: Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Resource temporarily unavailable) I tried removing the group read permission on the keytab file and restarted slapd as a test on the file to see if slapd was actually reading it and the minor code on the former error message changed to Permission denied. I then added a letter to the keytab file name in my startup script and the error changed to File not found. After reseting the keytab filename and permissions the error was once again Resource temporarily unavailable. I tried deleting the keytab and re-extracting the key using kadmin and setting the permissions appropriately including making openldap the owner as well. I then destroyed my ccache and reacquiring a ticket. When I ran ldapsearch, the error was still resource temporarily unavailable. The client and server are the same computer. The service principal is ldap/host.example.com@EXAMPLE.COM and klist shows that is did acquire a service ticket for that principal. The hostname command returns host.example.com for the hostname and that hostname is in /etc/hosts as the first (primary) name for the server's ip address. -- Loren M. Lang lorenl@north-winds.org http://www.north-winds.org/ Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
Attachment:
signature.asc
Description: This is a digitally signed message part