[solved] Re: SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)

Christoph Spielmann <cspielma@xxxxxxxxxx> · Mon, 10 Dec 2007 09:32:41 +0100

Thanks for pointing me in the right direction: 

After some more digging i found out that the problem was a mixture of
some missing configuration-files and some file permission problems on
the slave! After having fixed all these things everything works as
expected! :)

Regards,

Christoph Spielmann

Guus Leeuw jr. schrieb:

    -----Original Message-----
From: cyrus-sasl-bounces@xxxxxxxxxxxxxxxxxxxx [mailto:cyrus-sasl-
bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Christoph Spielmann
Sent: 07 December 2007 10:12
To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx
Subject: SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism
was requested (unknown mech-code 0 for mech unknown)

Hi everybody!

Hi, Dr. Nick!

[omitted for brevity]

    For your information this is more or less the same configuration as the
main slapd with the few changes necessary for the replica-server...

testsaslauthd works but when i try to connect to the replica-server
with
ldapsearch i get the following

ldapsearch -H ldap://slave.gup.uni-linz.ac.at cn=erebos
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

This sounds to me as if the slave cannot check the ticket... Is it listed in
the KDC?
Does it know how to SASL by itself? (as in given that the userPassword is
{SASL}user@xxxxxxxxxxxxxxxxxx, can the slave authenticate the user?)
Check /usr/lib(64)/sasl2/*.conf files for sasl settings.

    the log on slave looks like this (i just post the interesting part):
...
Dec  7 10:55:01 slave slapd[5314]: do_bind
Dec  7 10:55:01 slave slapd[5314]: >>> dnPrettyNormal: <>
Dec  7 10:55:01 slave slapd[5314]: <<< dnPrettyNormal: <>, <>
Dec  7 10:55:01 slave slapd[5314]: do_sasl_bind: dn () mech GSSAPI
Dec  7 10:55:01 slave slapd[5314]: conn=2 op=1 BIND dn="" method=163
Dec  7 10:55:01 slave slapd[5314]: ==> sasl_bind: dn="" mech=GSSAPI
datalen=631
Dec  7 10:55:01 slave slapd[5314]: SASL [conn=2] Failure: GSSAPI Error:
An unsupported mechanism was requested (unknown mech-code 0 for mech
unknown)
Dec  7 10:55:01 slave slapd[5314]: send_ldap_result: conn=2 op=1 p=3
Dec  7 10:55:01 slave slapd[5314]: send_ldap_result: err=49 matched=""
text="SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context"
Dec  7 10:55:01 slave slapd[5314]: send_ldap_response: msgid=2 tag=97
err=49
Dec  7 10:55:01 slave slapd[5314]: conn=2 op=1 RESULT tag=97 err=49
text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Dec  7 10:55:01 slave slapd[5314]: <== slap_sasl_bind: rc=49
Dec  7 10:55:01 slave slapd[5314]: daemon: activity on 1 descriptor
Dec  7 10:55:01 slave slapd[5314]: daemon: activity on:
Dec  7 10:55:01 slave slapd[5314]:  11r
...

when i use simple bind (and uncomment the line access to * by * read)
everything works as expected too, so something must be wrong with
sasl...

when i send the same search-query to the master-server (using the same
host as before) i get the desired results so on the client side
everything seems to be okay.

[brevity]