> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Russ Allbery > Sent: Thursday, August 06, 2009 11:56 PM > To: [email protected] > Subject: Re: IPv6 handling in SASL LDAP binding > > I have no idea if Cyrus SASL supports IPv6 or not, but try > using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The > brackets disambiguate > IPv6 address literals from hostnames with ports.
After kinit, there is a Kerberos TGT: =================================================== q...@durian(pts/2):/usr/lib[115]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: [email protected] Valid starting Expires Service principal 08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/[email protected] renew until 08/08/09 13:19:18 08/07/09 13:22:00 08/07/09 23:20:45 ldap/[email protected] renew until 08/08/09 13:19:18 Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached =================================================== Since it seems MozLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/[email protected]). It doesn't reveal the authentication server's address or hostname, does it? My problem is that after the user logs in, Cyrus-SASL can't find the Kerberos server to send out TGS-REQ. However, locating the Kerberos server seems somewhat beyond MozLDAP and Cyrus-SASL. Thus, I feel something is wrong in MIT Kerberos plugin "libgssapi_krb5.so". Still, it is strange that although DNS resolves the Kerberos server's hostname to IPv6 address, kinit is successful shows that the server can be located. How come when in doing SASL binding the server (with IPv6 address) can't be located? Kind of confused... Xu Qiang ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
