> -----Original Message----- > From: Rich Megginson [mailto:[email protected]] On > Behalf Of Rich Megginson > Sent: Friday, March 13, 2009 10:50 PM > To: Xu, Qiang (FXSGSC) > Subject: Re: SASL authentication > > Well, your ldap server must have assigned a keytab from your > kerberos KDC.
Just think it twice and from http://docs.hp.com/en/J4269-90049/ch04s03.html, it seems a keytab file is not necessary: ========================================================= Service/Host Principal A Kerberos keytab file contains service or host principals and associated keys information. Users can choose to bind using the service or host keys. The keytab file may contain multiple principals and keys. Users may configure which service key to use. For example, the following /etc/krb5.keytab file contains two principal: $ klist -k Keytab name: FILE:/etc/krb5.keytab Principal -------------------------------------------- 1 ldapux/[email protected] 1 host/[email protected] ========================================================= It seems to me that if the feedback from klist command is not empty, then there exists a service principal. After I authenticate against the Kerberos server, I get: ========================================================= MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/17/09 17:36:50 03/18/09 03:37:35 krbtgt/[email protected] renew until 03/18/09 17:36:50 ========================================================= So I do have a service principal or ticket. And it has not expired, yet. Looking back at the tutorial at http://aput.net/~jheiss/krbldap/howto.html: ========================================================= ldap_sasl_interactive_bind_s: Local error ldap/hostname service principal not set up or your Kerberos ticket is expired ========================================================= It may just mean either there is not any ticket available, or the ticket has expired. From the feedback of klist command, it looks my error is not due to this. In short, I think the keytab file is not necessary, provided that my kinit is successful and klist does not give an empty result. Am I right? Thanks, Xu Qiang _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
