On 03/15/2012 12:56 PM, Matt Wells wrote:
> The error I get is -
> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)
> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_99' not found))
> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
>
> In kerberos all principles are created and in the /etc/krb5.keytab the
> following exist; additionally the permissions have been set all the
> way to 777 to ensure a permissions issue is not in play.
>
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 host/server1@xxxxxxxxxxx
> 2 2 host/server1@xxxxxxxxxxx
> 3 2 host/server1@xxxxxxxxxxx
> 4 2 host/server1@xxxxxxxxxxx
> 5 2 host/server2@xxxxxxxxxxx
> 6 2 host/server2@xxxxxxxxxxx
> 7 2 host/server2@xxxxxxxxxxx
> 8 2 host/server2@xxxxxxxxxxx
> 9 3 ldap/server1@xxxxxxxxxxx
> 10 3 ldap/server1@xxxxxxxxxxx
> 11 3 ldap/server1@xxxxxxxxxxx
> 12 3 ldap/server1@xxxxxxxxxxx
> 13 3 ldap/server2@xxxxxxxxxxx
> 14 3 ldap/server2@xxxxxxxxxxx
> 15 3 ldap/server2@xxxxxxxxxxx
> 16 3 ldap/server2@xxxxxxxxxxx
>
>
> My question is the following -
> Shouldn't my first error from above read
> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@xxxxxxxxxxx]"
> It makes sense to me that I am missing my realm, without that I of
> course couldn't get my tgt from the kdc. But where do I define that
> realm?
> I've looked in the
> cn=mapping,cn=sasl,cn=config
> but have not seen a realm to define. I've tested for fun changing
> these attributes but to no avail.
Hmmm, I don't remember having to anything special here. Perhaps
"EXAMPLE.COM" is just listed here in the email, but above the log shows
> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)
Your krb5.conf file would need to have maps to the KDC for EXAMPLE.COM
which actually work--they resolve to a real KDC. This is my krb5.conf
file on my ldap server, which my relevant realms/domains replaced by
example.com and EXAMPLE.COM:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
kdc = kerberos-1.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Perhaps, your ldap server is not able to resolve the address of the KDC
at the time of the server startup? Also, check that your /etc/hosts
contains the proper FQDN for your ldap server, listed before any
hostname aliases for that IP:
192.168.1.99 ldap.example.com ldap
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Attachment:
signature.asc
Description: OpenPGP digital signature
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
