I'm trying to follow the Kerberos howto guide at http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an issue authenticating to the Directory Server with GSSAPI/Kerberos tickets: $ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o mech=GSSAPI -o authid="mcarey at STATION1.EXAMPLE.COM" -o authzid="mcarey at STATION1.EXAMPLE.COM" -b "dc=example,dc=com" "(cn=*)" Bind Error: Invalid credentials Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Attempt with OpenLDAP client: $ /usr/bin/ldapsearch -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://station1.example.com -b "dc=example,dc=com" "(cn=*)" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Resulting in the following entries in the access log on the DS: # tail -5 access [04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45 to 10.100.0.45 [04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND [04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1 >From what I can tell the Kerberos infrastructure and OS components are setup accordingly: GSSAPI is a viable SASL mechanism: $ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base "(objectClass=*)" supportedSASLMechanisms version: 1 dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: PLAIN Directory Server keytab and contents: # grep "nsslapd-localuser" dse.ldif nsslapd-localuser: nobody # ls -la ds.keytab -rw------- 1 nobody nobody 172 Oct 3 13:21 ds.keytab # ktutil ktutil: rkt ./ds.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 ldap/station1.example.com at STATION1.EXAMPLE.COM 2 3 ldap/station1.example.com at STATION1.EXAMPLE.COM # grep KRB /etc/sysconfig/dirsrv KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME SASL maps in Directory Server: dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: Kerberos uid mapping nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\) nsSaslMapBaseDNTemplate: dc=\2,dc=\3 nsSaslMapFilterTemplate: (uid=\1) dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: Station1 Kerberos Mapping nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com dn: cn=station1 map,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: example map cn: station1 map nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=\1) Getting a ticket from the KDC: [mcarey at station1 ~]$ kdestroy [mcarey at station1 ~]$ kinit Password for mcarey at STATION1.EXAMPLE.COM: [mcarey at station1 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20 Default principal: mcarey at STATION1.EXAMPLE.COM Valid starting Expires Service principal 10/04/10 10:57:20 10/04/10 17:37:20 krbtgt/STATION1.EXAMPLE.COM at STATION1.EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt5000 klist: You have no tickets cached Any help or pointers people have would be greatly appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20101004/490622a6/attachment.html
