Re: SASL + Kerberos + OpenLDAP issue

["Henry B. Hotz" <hotz@xxxxxxxxxxxx>]

OK, so you know what's on the server.

On your client (after a failure) do a "klist -e".  If there is a  
matching enctype with a server's keytab entry, then do a "kvno  
<service principal>" and see if that entry's kvno also matches.

Some procedures for extracting keytab files will increment the kvno  
(and generate new keys) behind your back.

On Feb 28, 2009, at 6:28 AM, xavier.ambrosioni@xxxxxxxxxxxxxxxx wrote:

> Hi,
>
> I tried to delete, recreate and export my service principals but it  
> did not solve my problem. I have already the same error.
>
> More details on my configuration:
> - My server is running ubuntu with heimdal kdc.
> - My client is a mac running leopard 10.5.6 with mit kerberos (if  
> I'm right)
>
> I created the service principals on my kdc then export to the keytab  
> on my server, then I copied to keytab to my client.
> Below the result of 'ktutil list' command:
>
> on my server:
>  root@passrlsrv:~# ktutil list
> FILE:/etc/krb5.keytab:
>
> Vno  Type                     Principal
>  1  des-cbc-md5              ldap/passrlsrv.passrl@PASSRL
>  1  des-cbc-md4              ldap/passrlsrv.passrl@PASSRL
>  1  des-cbc-crc              ldap/passrlsrv.passrl@PASSRL
>  1  aes256-cts-hmac-sha1-96  ldap/passrlsrv.passrl@PASSRL
>  1  des3-cbc-sha1            ldap/passrlsrv.passrl@PASSRL
>  1  arcfour-hmac-md5         ldap/passrlsrv.passrl@PASSRL
>  1  des-cbc-md5              ldap/passrlsrv@PASSRL
>  1  des-cbc-md4              ldap/passrlsrv@PASSRL
>  1  des-cbc-crc              ldap/passrlsrv@PASSRL
>  1  aes256-cts-hmac-sha1-96  ldap/passrlsrv@PASSRL
>  1  des3-cbc-sha1            ldap/passrlsrv@PASSRL
>  1  arcfour-hmac-md5         ldap/passrlsrv@PASSRL
>
>
> on my client:
> imac:/etc root# ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ----  
> ---------------------------------------------------------------------
>   1    1             ldap/passrlsrv.passrl@PASSRL
>   2    1             ldap/passrlsrv.passrl@PASSRL
>   3    1             ldap/passrlsrv.passrl@PASSRL
>   4    1             ldap/passrlsrv.passrl@PASSRL
>   5    1             ldap/passrlsrv.passrl@PASSRL
>   6    1             ldap/passrlsrv.passrl@PASSRL
>   7    1                    ldap/passrlsrv@PASSRL
>   8    1                    ldap/passrlsrv@PASSRL
>   9    1                    ldap/passrlsrv@PASSRL
>  10    1                    ldap/passrlsrv@PASSRL
>  11    1                    ldap/passrlsrv@PASSRL
>  12    1                    ldap/passrlsrv@PASSRL
>
> Do you think that there is an incompatibility between heimdal kdc  
> and mit client ?
> Is it possible for instance that the server uses the aes256-cts-hmac- 
> sha1-96 key and the client another one ?
>
>
> Thank you
> Xavier
>
>
> On Fri 27/02/09 20:59 , Ken Hornstein <kenh@xxxxxxxxxxxxxxxx> wrote:
>
> > > Feb 27 18:04:20 passrlsrv slapd[9861]: SASL [conn=16] Failure:
> > GSSAPI
> > > Error:  Miscellaneous failure (see text) (Decrypt integrity check
> > > failedxt))
> > "Decrypt integrity check failed" means that the service key in your
> > KDC
> > doesn't match the service key stored in the keytab.  You should
> > rekey
> > your server (and make sure you re-kinit AFTER you do that so you get
> > a new
> > service ticket that matches your service key).
> > --Ken
> http://www.celeonet.fr

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@xxxxxxxxxxxx, or hbhotz@xxxxxxx