Re: GSSAPI / SASL problems of sasl2-bin on Ubuntu 10.04.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/06/12 23:11 +0800, John Mok wrote:
Hi,

I have succeeded using GSSAPI SASL for OpenLDAP + Postfix access on Ubuntu 8.04.4. When I made the same setup on Ubuntu 10.04.4 :-

Your postfix process is retrieving information, such as postmaps, from an
openldap server, using gssapi authentication? Or are you retreiving your
postmaps from an Active Directory server?

ldapwhoami -Y GSSAPI

it returned an error (80).

sasl2-bin 2.1.23
libsasl2-modules 2.1.23
libsasl2-modules-gssapi-heimdal 2.1.23

When I tried libsasl2-modules-gssapi-mit, it returned (key table entry not found). When I tried libsasl2-modules-gssapi-heimdal, it returned "No credentials were supplied, or the credentials were unavailable or inaccessible ...". I checked with ktutil list and it listed the kerberos principals from Windows 2003 correctly.

for the client side ldapwhoami attempt, try:

klist (verify that you have a TGT)

ldapwhoami -O maxssf=0 -Y GSSAPI ...

and use wireshark to capture the interaction, which will show you any
errors that the KDC may be providing over the network.

adding '-d -1' may also be helpful. Check your syslog output (auth
facility) for any sasl errors.

Is the keytab file being used by postfix, by openldap, or both?

Where is your keytab file located? If it is not located in
/etc/krb5.keytab, then you will need to add some configuration for the
gssapi plugin to find its location. If using the heimdal plugin,
create a sasl config file (e.g. /usr/lib/sasl2/slapd.conf) with:

keytab: /path/to/file.keytab

If you're using the mit plugin, you'll specify the location using the
KRB5_KTNAME environment variable.

--
Dan White


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux