Brian May <[email protected]> writes: > With libsasl2-modules-gssapi-mit installed.
> root@tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org > uid=aspiers -H ldap://sys11.ad.vpac.org/ -A > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Cannot > determine realm for numeric host address) > With libsasl2-modules-gssapi-heimdal installed. > root@tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org > uid=aspiers -H ldap://sys11.ad.vpac.org/ -A > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (see text) (Matching credential (ldap/ > 2001:388:60ac:10d:214:85ff:fef6:[email protected]) not found) > It should not be trying to use ldap/ > 2001:388:60ac:10d:214:85ff:fef6:[email protected], it should use the name I > specified on the command line, i.e. ldap/[email protected] If you add: rdns = false to the [libdefaults] section of your /etc/krb5.conf, does it then work with MIT? (I'm not sure what the corresponding Heimdal setting; a quick man page check didn't reveal it.) I think this is your GSS-API library being excessively helpful and canonicalizing the host identity with DNS for you, and then getting confused by whatever nsswitch is returning. This isn't really under the control of the application; the GSS-API library will do this under the hood. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
