On 03/15/2012 12:56 PM, Matt Wells wrote: > I have a multi-master configuration of 389-directory server. I'm > attempting to replicate w/ SASL/GSSAPI but It's not getting the realm. > Note this replication is not with Windows AD. It's LDAP to LDAP > > The error I get is - > [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1@] in keytab > [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address > for KDC in requested realm) > [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_99' not found)) > [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local > error) > > In kerberos all principles are created and in the /etc/krb5.keytab the > following exist; additionally the permissions have been set all the > way to 777 to ensure a permissions issue is not in play. > > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 2 host/server1@xxxxxxxxxxx > 2 2 host/server1@xxxxxxxxxxx > 3 2 host/server1@xxxxxxxxxxx > 4 2 host/server1@xxxxxxxxxxx > 5 2 host/server2@xxxxxxxxxxx > 6 2 host/server2@xxxxxxxxxxx > 7 2 host/server2@xxxxxxxxxxx > 8 2 host/server2@xxxxxxxxxxx > 9 3 ldap/server1@xxxxxxxxxxx > 10 3 ldap/server1@xxxxxxxxxxx > 11 3 ldap/server1@xxxxxxxxxxx > 12 3 ldap/server1@xxxxxxxxxxx > 13 3 ldap/server2@xxxxxxxxxxx > 14 3 ldap/server2@xxxxxxxxxxx > 15 3 ldap/server2@xxxxxxxxxxx > 16 3 ldap/server2@xxxxxxxxxxx > > > My question is the following - > Shouldn't my first error from above read > "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1@xxxxxxxxxxx]" > It makes sense to me that I am missing my realm, without that I of > course couldn't get my tgt from the kdc. But where do I define that > realm? > I've looked in the > cn=mapping,cn=sasl,cn=config > but have not seen a realm to define. I've tested for fun changing > these attributes but to no avail. > > nssaslmapbase dc=\2,dc=\3 > mapregexstring \(.*\)@\(.*\)\.\(.*\) > > > Any help would be greatly appreciated! > > > Software Version - > RHEL 6.1 > --- > 389-admin-1.1.25-1.el6.x86_64.rpm > 389-admin-console-1.1.8-1.el6.noarch.rpm > 389-adminutil-1.1.14-2.el6.x86_64.rpm > 389-console-1.1.7-1.el6.noarch.rpm > 389-ds-console-1.2.6-1.el6.noarch.rpm > 389-dsgw-1.1.7-2.el6.x86_64.rpm > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users Do you have: # In order to use SASL/GSSAPI (Kerberos) the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME in you /etc/sysconfig/dirsrv? It sounds like your server isn't settup up it's credential cache at startup. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Attachment:
signature.asc
Description: OpenPGP digital signature
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
