Sorry, I forgot to mention that. Yes. I used the ds.keytab and moved it to the krb5.keytab for testing. 2012/3/16 Anthony Messina <amessina@xxxxxxxxxxxx>: > On 03/15/2012 12:56 PM, Matt Wells wrote: >> I have a multi-master configuration of 389-directory server. I'm >> attempting to replicate w/ SASL/GSSAPI but It's not getting the realm. >> Note this replication is not with Windows AD. It's LDAP to LDAP >> >> The error I get is - >> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1@] in keytab >> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address >> for KDC in requested realm) >> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (Credentials >> cache file '/tmp/krb5cc_99' not found)) >> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local >> error) >> >> In kerberos all principles are created and in the /etc/krb5.keytab the >> following exist; additionally the permissions have been set all the >> way to 777 to ensure a permissions issue is not in play. >> >> slot KVNO Principal >> ---- ---- --------------------------------------------------------------------- >> 1 2 host/server1@xxxxxxxxxxx >> 2 2 host/server1@xxxxxxxxxxx >> 3 2 host/server1@xxxxxxxxxxx >> 4 2 host/server1@xxxxxxxxxxx >> 5 2 host/server2@xxxxxxxxxxx >> 6 2 host/server2@xxxxxxxxxxx >> 7 2 host/server2@xxxxxxxxxxx >> 8 2 host/server2@xxxxxxxxxxx >> 9 3 ldap/server1@xxxxxxxxxxx >> 10 3 ldap/server1@xxxxxxxxxxx >> 11 3 ldap/server1@xxxxxxxxxxx >> 12 3 ldap/server1@xxxxxxxxxxx >> 13 3 ldap/server2@xxxxxxxxxxx >> 14 3 ldap/server2@xxxxxxxxxxx >> 15 3 ldap/server2@xxxxxxxxxxx >> 16 3 ldap/server2@xxxxxxxxxxx >> >> >> My question is the following - >> Shouldn't my first error from above read >> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1@xxxxxxxxxxx]" >> It makes sense to me that I am missing my realm, without that I of >> course couldn't get my tgt from the kdc. But where do I define that >> realm? >> I've looked in the >> cn=mapping,cn=sasl,cn=config >> but have not seen a realm to define. I've tested for fun changing >> these attributes but to no avail. >> >> nssaslmapbase dc=\2,dc=\3 >> mapregexstring \(.*\)@\(.*\)\.\(.*\) >> >> >> Any help would be greatly appreciated! >> >> >> Software Version - >> RHEL 6.1 >> --- >> 389-admin-1.1.25-1.el6.x86_64.rpm >> 389-admin-console-1.1.8-1.el6.noarch.rpm >> 389-adminutil-1.1.14-2.el6.x86_64.rpm >> 389-console-1.1.7-1.el6.noarch.rpm >> 389-ds-console-1.2.6-1.el6.noarch.rpm >> 389-dsgw-1.1.7-2.el6.x86_64.rpm >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > > Do you have: > > # In order to use SASL/GSSAPI (Kerberos) the directory > # server needs to know where to find its keytab > # file - uncomment the following line and set > # the path and filename appropriately > KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME > > in you /etc/sysconfig/dirsrv? It sounds like your server isn't settup > up it's credential cache at startup. > > -- > Anthony - http://messinet.com - http://messinet.com/~amessina/gallery > 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- - - Matt Please note the new address and update your contact lists -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
