Ben Lentz wrote:
Greetings list,
I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3
on an AIX 5.3, TL8, SP2 machine.
Whenever I try to use GSSAPI with ldapsearch against a Microsoft
Active Directory server, I get the following error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
When I run the process through truss -rall -wall -f, I see the
following error near the failure:
GSSAPI Error: An invalid name was supplied (Not enough space)
I am able to acquire a kerberos ticket, I can list the GSSAPI plugin
using pluginviewer, and I can ldapsearch against the MSAD server using
simple authentication.
I have searched Google and can find no reference to the "Not enough
space" error. Has anyone else seen this before or can anyone shed any
light on this?
Thanks in advance.
Are you receiving the service principal ticket for the ldap server (e.g.
ldap/<hostname>@REALM)?
The error you're receiving is possibly due to the AD/mit/kerberos
interaction rather than cyrus. I had success trouble shooting a 'packet
too large', or something similar, once with wireshark. That was with
Heimdal and AD. I ended up forcing Heimdal to use TCP when talking to
the AD server. In /etc/krb5.conf:
[realms]
EXAMPLE.NET = {
kdc = tcp/ad.example.net
kdc = ad.example.net
admin_server = ad.example.net
- Dan
