Thank you Guillaume for your helpful answer What I've done on the LDAP server I've generated a -randkey ldap/[email protected] - LDAP service key. Modified the relevant ldap startup file, providing the path where LDAP will find it's keytab file and restarted the entire host - just to make sure that no old TCP connection will block the TCP port 389 (LDAP)
Checked the krb5kdc.log while user calls kinit - YES - the initial communication is fine, user gets it's TGT When I do the ldapsearch -x on the server as expected all is fine (LDAP not yet involved) When I do the ldapsearch -Y GSSAPI (on the server) - YES all is fine. But something is weird. When I've checked my klist I'll get in return klist Valid starting Expires Service principal 03/29/10 13:07:54 03/30/10 14:07:54 krbtgt/[email protected] renew until 04/05/10 13:07:54 03/29/10 13:08:04 03/30/10 14:07:54 ldap/localhost@ renew until 04/05/10 13:07:54 03/29/10 13:08:04 03/30/10 14:07:54 ldap/[email protected] renew until 04/05/10 13:07:54 Hmmm - what I did next, I changed the keytab. Removed the localhost stuff and added the ldap/[email protected] principal (unfortunately only) What I'm going to do next - I'll generate a keytab file including the ldap/localhost and ldap/declips.privat.net and will try out. I'll keep you updated. cheers Wolf-Agathon ----- Original Nachricht ---- Von: Guillaume Rousse <[email protected]> An: [email protected], [email protected] Datum: 30.03.2010 13:15 Betreff: Re: kerberized OpenLDAP > Le 29/03/2010 10:26, Wolf-Agathon Schaly a écrit : > > If I leave the LDAP server listening on the TCP address of localhost > (127.0.0.1) declips is cool. > > If I change the entry in /etc/openldap/ldap.conf from > > URI=ldap://127.0.0.1/ > > to > > URI=ldap://10.1.1.1/ > > I'm facing the same issue (gss_accept_sec_context) as on levante. > > > > > > Is there somebody out there who can lead me to a solution. > It seems like a name canonicalisation error for me, as you have a > multihomed setup, and result varies with the IP adress you're using. > > You have to ensure the principal used in LDAP server keytab (its SPN) > matches both the ones used by client when they ask a service ticket (DNS > hostname for the IP adress used in their /etc/openldap/ldap.conf files), > and the one used by the server itself (by default, the one returned by > gethostname(), otherwise, the one specified with sasl_hostname directive > in its configuration file). > > You may also check in the KDC logs what are the principal requested by > clients. > -- > BOFH excuse #11: > > magnetic interference from money/credit cards > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
