Both the LDAP cient and Kerboros server are running Solaris 8. Sun Directory server 5.2.
bash-2.03# klist -ef Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testadmin/[EMAIL PROTECTED]
Valid starting Expires Service principal
02/14/05 09:30:57 02/14/05 19:30:57 krbtgt/[EMAIL PROTECTED]
renew until 02/14/05 09:30:57, Flags: RI
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thank you.
[EMAIL PROTECTED] wrote:
Send Kerberos mailing list submissions to [email protected]
To subscribe or unsubscribe via the World Wide Web, visit https://mailman.mit.edu/mailman/listinfo/kerberos or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED]
You can reach the person managing the list at [EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific than "Re: Contents of Kerberos digest..."
Today's Topics:
1. Re: /usr/lib/gss/gl/mech_krb5.so (Wyllys Ingersoll)
----------------------------------------------------------------------
Date: Sun, 13 Feb 2005 21:48:37 -0500 From: Wyllys Ingersoll <[EMAIL PROTECTED]> To: coady <[EMAIL PROTECTED]> Cc: [email protected] Subject: Re: /usr/lib/gss/gl/mech_krb5.so Message-ID: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 1
coady wrote:
Hi,
I got a MIT kerberos server and a iPlanet Directory server setup.
So far, I could get TGT and telnet into a telnet server and had a service ticket. so, i think as far kerberos part, it's working.
Now, after successfully kinit from a client, when I tried ldapsearch -h test.com -b dc=example,dc=com -o mech=GSSAPI uid=testuser it'd ask for please enter your authorization name:
then the error message: unable to initialize mechanism library [/usr/lib/gss/gl/mech_krb5.so] unable to initialize mechanism library [/usr/lib/gss/gl/mech_krb5.so] ldap_sasl_interactive_bind_s: Local error
You don't mention which OS you are running, but it seems that you must be running Solaris 8 or Solaris 9. I would guess that you probably installed the SEAM packages for Solaris.
The likely problem is that Solaris 8 and 9 do not have support for the same encryption types as the newer MIT Kerberos code. If the server (MIT) is issuing keys that the client (Solaris) cannot understand, the client library will not be able to do anything with the tickets.
Send output of "klist -ef" to show the enctypes used in your client's ticket cache, if they show up as numbers (ex: "enctype 17 ...") instead of names ("AES-128 ..."), then this is definitely the problem. If your cache already has only DES keys, then there must be something else wrong.
Solaris 10 has support for all of the enctypes that MIT supports.
-Wyllys
------------------------------
_______________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
End of Kerberos Digest, Vol 26, Issue 17 ****************************************
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
