On Thu, Sep 2, 2010 at 1:22 AM, Bill MacAllister <[email protected]> wrote: > > Simon Wilkinson discussed the problem on the Heimdal list. > > The problem is that both the client and the server must have a > matching idea of the service principal to use in establishing the > GSSAPI connection. > > The client will use ldap/ldap.uvm.edu, as that's the only name it > knows the server by. However, the server will end up using > ldap/hostname() and therefore the two won't match, and you'll get > these errors. So what sasl-host directive is good for? It does something in fact - if I enable it and set it to ldap.example.com, GSSAPI auth stop working with the same error.
Also, I've tried to set server hostname to "ldap", and hostname --fqdn returned ldap.example.com, but this did not help either. -- Zaar
