Hi Marty and Rob,
thanks for your answers.
The FDS user indeed wasn't able to access /etc/krb5.keytab. After I
changed that, the error message changed to:
[EMAIL PROTECTED] ~]# ldapsearch -Y GSSAPI -D
"uid=bsmith,ou=People,dc=afb,dc=lan" -v
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-14): authorization failure:
My klist is as follows:
[EMAIL PROTECTED] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/26/07 08:35:05 07/27/07 08:33:33 krbtgt/[EMAIL PROTECTED]
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
After that it changes to
[EMAIL PROTECTED] tmp]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/26/07 08:41:36 07/27/07 08:39:33 krbtgt/[EMAIL PROTECTED]
07/26/07 08:41:40 07/27/07 08:39:33 ldap/[EMAIL PROTECTED]
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
So, at least I do get a ticket for ldap.
When I run "kinit bsmith" I get the following log message on my Kerberos
Server:
Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
When I run "testsaslauthd -s ldap -u bsmith -p letmein" I see the
following log entries:
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for host/[EMAIL PROTECTED]
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23
1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for host/[EMAIL PROTECTED]
How do I have to set the password for the user bsmith in FDS?
The current setting is: [EMAIL PROTECTED]
Is that correct?
Regards,
Johannes Hintermayer
On Wed, 2007-07-25 at 15:11 -0400, MJD Shop Account wrote:
>
> >#klist
> >Ticket cache: FILE:/tmp/krb5cc_0
> >Default principal: [EMAIL PROTECTED]
> >
> >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v
>
> No credentials?? or did you just edit out the result of klist? You should
> see at the very least a ticket-granting ticket
>
> >2. Do I need a host principal for every client?
> >
>
> This I am pretty sure is a 'yes you do'
>
>
> -Marty
>
> --
> Fedora-directory-users mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
