Re: SASL + Kerberos + OpenLDAP issue

xavier.ambrosioni@xxxxxxxxxxxxxxxx · Sat, 28 Feb 2009 15:28:25 +0100

Hi,

I tried to delete, recreate and export my service principals but it did not solve my problem. I have already the same error.

More details on my configuration:
 - My server is running ubuntu with heimdal kdc.
 - My client is a mac running leopard 10.5.6 with mit kerberos (if I'm right)

I created the service principals on my kdc then export to the keytab on my server, then I copied to keytab to my client.
Below the result of 'ktutil list' command:

on my server:
  root@passrlsrv:~# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal
  1  des-cbc-md5              ldap/passrlsrv.passrl@PASSRL
  1  des-cbc-md4              ldap/passrlsrv.passrl@PASSRL
  1  des-cbc-crc              ldap/passrlsrv.passrl@PASSRL
  1  aes256-cts-hmac-sha1-96  ldap/passrlsrv.passrl@PASSRL
  1  des3-cbc-sha1            ldap/passrlsrv.passrl@PASSRL
  1  arcfour-hmac-md5         ldap/passrlsrv.passrl@PASSRL
  1  des-cbc-md5              ldap/passrlsrv@PASSRL
  1  des-cbc-md4              ldap/passrlsrv@PASSRL
  1  des-cbc-crc              ldap/passrlsrv@PASSRL
  1  aes256-cts-hmac-sha1-96  ldap/passrlsrv@PASSRL
  1  des3-cbc-sha1            ldap/passrlsrv@PASSRL
  1  arcfour-hmac-md5         ldap/passrlsrv@PASSRL

on my client:
imac:/etc root# ktutil 
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1             ldap/passrlsrv.passrl@PASSRL
   2    1             ldap/passrlsrv.passrl@PASSRL
   3    1             ldap/passrlsrv.passrl@PASSRL
   4    1             ldap/passrlsrv.passrl@PASSRL
   5    1             ldap/passrlsrv.passrl@PASSRL
   6    1             ldap/passrlsrv.passrl@PASSRL
   7    1                    ldap/passrlsrv@PASSRL
   8    1                    ldap/passrlsrv@PASSRL
   9    1                    ldap/passrlsrv@PASSRL
  10    1                    ldap/passrlsrv@PASSRL
  11    1                    ldap/passrlsrv@PASSRL
  12    1                    ldap/passrlsrv@PASSRL

Do you think that there is an incompatibility between heimdal kdc and mit client ?
Is it possible for instance that the server uses the aes256-cts-hmac-sha1-96 key and the client another one ?

Thank you
Xavier

On Fri 27/02/09 20:59 , Ken Hornstein <kenh@xxxxxxxxxxxxxxxx> wrote:

> > Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure:
> GSSAPI 
> > Error:  Miscellaneous failure (see text) (Decrypt integrity check 
> > failedxt))
> "Decrypt integrity check failed" means that the service key in your
> KDC
> doesn't match the service key stored in the keytab.  You should
> rekey
> your server (and make sure you re-kinit AFTER you do that so you get
> a new
> service ticket that matches your service key).
> --Ken
> 
> 
http://www.celeonet.fr