Ben Lentz wrote:
Greetings list, I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3 on an AIX 5.3, TL8, SP2 machine. Whenever I try to use GSSAPI with ldapsearch against a Microsoft Active Directory server, I get the following error: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) When I run the process through truss -rall -wall -f, I see the following error near the failure: GSSAPI Error: An invalid name was supplied (Not enough space) I am able to acquire a kerberos ticket, I can list the GSSAPI plugin using pluginviewer, and I can ldapsearch against the MSAD server using simple authentication. I have searched Google and can find no reference to the "Not enough space" error. Has anyone else seen this before or can anyone shed any light on this? Thanks in advance.
Are you receiving the service principal ticket for the ldap server (e.g. ldap/<hostname>@REALM)?
The error you're receiving is possibly due to the AD/mit/kerberos interaction rather than cyrus. I had success trouble shooting a 'packet too large', or something similar, once with wireshark. That was with Heimdal and AD. I ended up forcing Heimdal to use TCP when talking to the AD server. In /etc/krb5.conf:
[realms] EXAMPLE.NET = { kdc = tcp/ad.example.net kdc = ad.example.net admin_server = ad.example.net - Dan