> -----Original Message----- > From: cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:cyrus-sasl- > bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Christoph Spielmann > Sent: 07 December 2007 10:12 > To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx > Subject: SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism > was requested (unknown mech-code 0 for mech unknown) > > Hi everybody! Hi, Dr. Nick! [omitted for brevity] > For your information this is more or less the same configuration as the > main slapd with the few changes necessary for the replica-server... > > testsaslauthd works but when i try to connect to the replica-server > with > ldapsearch i get the following > > ldapsearch -H ldap://slave.gup.uni-linz.ac.at cn=erebos > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context This sounds to me as if the slave cannot check the ticket... Is it listed in the KDC? Does it know how to SASL by itself? (as in given that the userPassword is {SASL}user@xxxxxxxxxxxxxxxxxx, can the slave authenticate the user?) Check /usr/lib(64)/sasl2/*.conf files for sasl settings. > > the log on slave looks like this (i just post the interesting part): > ... > Dec 7 10:55:01 slave slapd[5314]: do_bind > Dec 7 10:55:01 slave slapd[5314]: >>> dnPrettyNormal: <> > Dec 7 10:55:01 slave slapd[5314]: <<< dnPrettyNormal: <>, <> > Dec 7 10:55:01 slave slapd[5314]: do_sasl_bind: dn () mech GSSAPI > Dec 7 10:55:01 slave slapd[5314]: conn=2 op=1 BIND dn="" method=163 > Dec 7 10:55:01 slave slapd[5314]: ==> sasl_bind: dn="" mech=GSSAPI > datalen=631 > Dec 7 10:55:01 slave slapd[5314]: SASL [conn=2] Failure: GSSAPI Error: > An unsupported mechanism was requested (unknown mech-code 0 for mech > unknown) > Dec 7 10:55:01 slave slapd[5314]: send_ldap_result: conn=2 op=1 p=3 > Dec 7 10:55:01 slave slapd[5314]: send_ldap_result: err=49 matched="" > text="SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context" > Dec 7 10:55:01 slave slapd[5314]: send_ldap_response: msgid=2 tag=97 > err=49 > Dec 7 10:55:01 slave slapd[5314]: conn=2 op=1 RESULT tag=97 err=49 > text=SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context > Dec 7 10:55:01 slave slapd[5314]: <== slap_sasl_bind: rc=49 > Dec 7 10:55:01 slave slapd[5314]: daemon: activity on 1 descriptor > Dec 7 10:55:01 slave slapd[5314]: daemon: activity on: > Dec 7 10:55:01 slave slapd[5314]: 11r > ... > > when i use simple bind (and uncomment the line access to * by * read) > everything works as expected too, so something must be wrong with > sasl... > > when i send the same search-query to the master-server (using the same > host as before) i get the desired results so on the client side > everything seems to be okay. > [brevity]