[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: SASL/GSSAPI: ldap_sasl_interactive_bind_s: Local error (-2)

To: Dan White <dwhite@olp.net>, Cameron Harris <thecwin@gmail.com>, Michael Ströder <michael@stroeder.com>, openldap-software@openldap.org
Subject: Re: Re: SASL/GSSAPI: ldap_sasl_interactive_bind_s: Local error (-2)
From: thecwin@gmail.com
Date: Mon, 15 Dec 2008 20:40:37 +0000

On Dec 15, 2008 3:49pm, Dan White <dwhite@olp.net> wrote:
> Cameron Harris wrote:
>
>
> On Sun, Dec 14, 2008 at 3:34 PM, Michael Ströder michael@stroeder.com michael@stroeder.com>> wrote:
>
>
>
> Cameron Harris wrote:
>
> > On Sun, Dec 14, 2008 at 11:31 AM, Michael Ströder
>
> michael@stroeder.com michael@stroeder.com>
>
> > michael@stroeder.com michael@stroeder.com>>> wrote:
>
> >
>
> > > Did you obtain a TGT before? What's the output of command klist?
>
> >
>
> > I did obtain a TGT with kinit:
>
>
>
> Hmm, I vaguely remember having to use "kinit -A" to avoid the
>
> local error.
>
>
>
> Ciao, Michael.
>
>
>
>
>
> Didn't work, unfortunately.
>
> Same error. :(
>
>
>
> Cameron Harris
>
>
>
>
> Cameron,
>
>
>
> Here are some sanity checks to try:
>
>
>
> Query your LDAP server to make sure that it is offering GSSAPI:
>
>
>
> ldapsearch -H ldap://ldap.example.net -x -b "" -s base -LLL supportedSASLMechanisms
>
>
>
> dn:
>
> supportedSASLMechanisms: DIGEST-MD5
>
> supportedSASLMechanisms: NTLM
>
> supportedSASLMechanisms: GSSAPI
>
> supportedSASLMechanisms: OTP
>
> supportedSASLMechanisms: CRAM-MD5
>
>
>
> If GSSAPI is not listed, verify configuration on the server. Check that the GSSAPI SASL mechanism is installed:
>
>
>
> ~# pluginviewer | grep -i gssapi
>
> pluginviewer: SASL Other: OTP: auxprop backend can't store properties
>
> LOGIN DIGEST-MD5 NTLM GSSAPI OTP PLAIN ANONYMOUS CRAM-MD5 EXTERNAL
>
> Plugin "gssapiv2" [loaded], API version: 4
>
> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>
> LOGIN DIGEST-MD5 NTLM GSSAPI OTP PLAIN ANONYMOUS CRAM-MD5 EXTERNAL
>
> Plugin "gssapiv2" [loaded], API version: 4
>
> SASL mechanism: GSSAPI, best SSF: 56
>
>
>
> Verify configuration of your slapd.conf SASL config:
>
>
>
> ~# cat /usr/lib/sasl2/slapd.conf
>
> keytab: /etc/krb5.keytab-ldap
>
> pwcheck_method: auxprop saslauthd
>
> auxprop_plugin: slapd
>
>
>
> (The location of your SASL slapd.conf config is dependant on how your SASL libraries are compiled). Your config doesn't have to match mine. You might want to explicitly set the location of your keytab, and verify that you do not have a restricive 'mech_list'. *If* you have a mech_list defined, make sure it includes GSSAPI.
>
>
>
> If your server config looks Ok, verify that you have the GSSAPI mechanism installed correctly on your client system with the (Cyrus SASL) pluginviewer command.
>
>
>
> Verify that you are retrieving the ldap/ldap.local@LOCAL service ticket from the KDC on your client (with klist). If not, you may not not be specifying a fully qualified domain name in your URI statement within your ldap.conf config. Make sure your URI statement is a FQDN (and not an IP address or ldapi:///) or that you're specifying one within the ldapsearch statement.
>
>
>
> Most likely the error you're receiving can be traced down to a Cyrus SASL or Kerberos misconfiguration. Check your syslog and auth.log on the server and client for possible additional errors.
>
>
>
> - Dan
>

This is the output from my system:

cameron@gimli:~$ ldapsearch -H ldaps://ldap.local/ -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

cameron@gimli:~$ saslpluginviewer | grep -i gssapi
GSSAPI PLAIN NTLM LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
GSSAPI PLAIN NTLM LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56

I didn't have a sasl2/slapd.conf (strace showed that it was looking for one, but getting -1 ENOENT because obviously it didn't exist). I created one defining the keytab location explicitly, but I get the same error.

FYI:

cameron@gimli:~$ cat /etc/ldap/ldap.conf | grep -Ev "^(#|$)"
BASE dc=local
URI ldaps://ldap.local
TLS_REQCERT allow
cameron@gimli:~$ dig +short ldap.local
gimli.local.
192.168.0.11
The slapd server and krb5-kdc are on the same system

After running ldap commands, still the only thing that remains in my klist is my TGT -- no tickets from LDAP. The /var/log files contain nothing useful about SASL. Perhaps I should build it myself at some point, and eliminate the ubuntu-server build as a possible problem (and then I might also be able to do some gdbugging :)).

Thanks,
Cameron Harris

Prev by Date: Re: Sync replication and "*Password" attributes
Next by Date: OpenLDAP and DNS SRV records
Index(es):
- Chronological
- Thread