Hello. Here is something that might deserve a note in the "11.2.1. GSSAPI" section of the sysadmin guide.
Trying: $ ldapwhoami -H ldap://db -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context In the "slapd" log, one can see that a "kvno 1" is looked for: 2006-02-16_14:03:12.81305 SASL [conn=0] Failure: GSSAPI Error: Miscellaneous failure (see text) (failed to find ldap/[EMAIL PROTECTED](kvno 1) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)) But it's version "2" in the keytab file: # ktutil list FILE:/etc/krb5.keytab: Vno Type Principal 2 des-cbc-md5 ldap/[EMAIL PROTECTED] 2 des-cbc-md4 ldap/[EMAIL PROTECTED] 2 des-cbc-crc ldap/[EMAIL PROTECTED] 2 aes256-cts-hmac-sha1-96 ldap/[EMAIL PROTECTED] 2 des3-cbc-sha1 ldap/[EMAIL PROTECTED] 2 arcfour-hmac-md5 ldap/[EMAIL PROTECTED] I'm using "Heimdal" Kerberos, and the keytab was updated with # ktutil get -p eran/admin ldap/db.harfang.homelinux.org which, if I understood correctly, seems to be responsible for the "kvno" change; while the "ext" sub-command doesn't modify it. And, indeed, deleting the "ldap" principal, re-creating it, and using "ext" to update the keytab, I now get a response from "slapd": $ ldapwhoami -H ldap://db -Y GSSAPI SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 SASL installing layers dn:uid=eran,cn=gssapi,cn=auth Two (probably similar) questions still: 1. Why is the "ldap" part in the principal name ldap/[EMAIL PROTECTED] hard-coded? [I had tried with another "prefix", and being stuck until told, on the "cyrus-sasl" ML, that I couldn't.] 2. Why can't the "kvno" be changed? Thanks, Gilles
