Ben Lentz wrote:
**
Ben Lentz wrote:
Greetings list,
I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3
on an AIX 5.3, TL8, SP2 machine.
Whenever I try to use GSSAPI with ldapsearch against a Microsoft
Active Directory server, I get the following error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
I am yet to be able to get sasl run with gssapi against AD. If you do
make any progress, or if anybody's managed to get it working, please
let us know.
I recompiled against OpenLDAP 2.3.27, cyrus-sasl 2.1.22, and mit
krb5-1.6.1, and am still getting the GSSAPI Error: An invalid name was
supplied (Not enough space) error.
Next, I recompiled the whole shebang against the krb5 from Heimdal and
got the same error.
I just successfully tested against our internal Active Directory Server.
On our Server, we have Windows Server 2003 Standard Edition.
On my client, I'm running Debian Unstable, with:
cyrus sasl version 2.1.22.dfsg1-23
heimdal version 1.2.dfsg.1-2
krb5-user version 1.6.dfsg.4~beta1-4
ldap-utils version 2.4.10-3
Here's my output. The domain names have been changed:
dwhite@zek:~$ kdestroy
dwhite@zek:~$ kinit dan@xxxxxxxxxxx
Password for dan@xxxxxxxxxxx:
dwhite@zek:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan@xxxxxxxxxxx
Valid starting Expires Service principal
11/12/08 10:33:45 11/12/08 20:32:34 krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
renew until 11/13/08 10:33:45
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
dwhite@zek:~$ ldapsearch -x -LLL -s "base" -b "" supportedSASLMechanisms
-h ad_server.example.org
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dwhite@zek:~$ ldapsearch -Y GSSAPI -LLL -s "base" -b ""
supportedSASLMechanisms -h ad_server.example.org
SASL/GSSAPI authentication started
SASL username: dan@xxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dwhite@zek:~$ ldapsearch -Y GSSAPI -h ad_server.example.org -b
cn=Users,dc=example,dc=org -s base -LLL
SASL/GSSAPI authentication started
SASL username: dan@xxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
dn: cn=Users,dc=example,dc=org
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=example,DC=org
<cut>
dwhite@zek:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan@xxxxxxxxxxx
Valid starting Expires Service principal
11/12/08 10:33:45 11/12/08 20:32:34 krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
renew until 11/13/08 10:33:45
11/12/08 10:32:40 11/12/08 20:32:34 ldap/ad_server.example.org@
renew until 11/13/08 10:33:45
11/12/08 10:32:40 11/12/08 20:32:34 ldap/ad_server.example.org@xxxxxxxxxxx
renew until 11/13/08 10:33:45
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
dwhite@zek:~$
You can enter the host/IP into /etc/hosts, or if your dns resolves
ad_server.example.org correctly, then you shouldn't need to. I was
getting a Local Error as well due to a bad entry in my /etc/hosts.
- Dan
