On 03/15/2012 12:56 PM, Matt Wells wrote: > The error I get is - > [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1@] in keytab > [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address > for KDC in requested realm) > [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_99' not found)) > [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local > error) > > In kerberos all principles are created and in the /etc/krb5.keytab the > following exist; additionally the permissions have been set all the > way to 777 to ensure a permissions issue is not in play. > > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 2 host/[email protected] > 2 2 host/[email protected] > 3 2 host/[email protected] > 4 2 host/[email protected] > 5 2 host/[email protected] > 6 2 host/[email protected] > 7 2 host/[email protected] > 8 2 host/[email protected] > 9 3 ldap/[email protected] > 10 3 ldap/[email protected] > 11 3 ldap/[email protected] > 12 3 ldap/[email protected] > 13 3 ldap/[email protected] > 14 3 ldap/[email protected] > 15 3 ldap/[email protected] > 16 3 ldap/[email protected] > > > My question is the following - > Shouldn't my first error from above read > "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial > credentials for principal [ldap/[email protected]]" > It makes sense to me that I am missing my realm, without that I of > course couldn't get my tgt from the kdc. But where do I define that > realm? > I've looked in the > cn=mapping,cn=sasl,cn=config > but have not seen a realm to define. I've tested for fun changing > these attributes but to no avail.
Hmmm, I don't remember having to anything special here. Perhaps
"EXAMPLE.COM" is just listed here in the email, but above the log shows
> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)
Your krb5.conf file would need to have maps to the KDC for EXAMPLE.COM
which actually work--they resolve to a real KDC. This is my krb5.conf
file on my ldap server, which my relevant realms/domains replaced by
example.com and EXAMPLE.COM:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
kdc = kerberos-1.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Perhaps, your ldap server is not able to resolve the address of the KDC
at the time of the server startup? Also, check that your /etc/hosts
contains the proper FQDN for your ldap server, listed before any
hostname aliases for that IP:
192.168.1.99 ldap.example.com ldap
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: OpenPGP digital signature
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
