Chastity Blackwell wrote:
On Thu, 2012-01-26 at 18:40 -0500, Howard Chu wrote:
Does kinit work for your chas@KRBTEST user? Judging from what you've pasted
here, I don't think it should. Get your basic Kerberos installation working
first. Take things one step at a time.
It does:
[chas@ldapsandbox log]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Unknown code krb5
195)
[chas@ldapsandbox log]$ kinit chas
Password for chas@KRBTEST:
[chas@ldapsandbox log]$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: chas@KRBTEST
SASL SSF: 56
SASL installing layers
dn:uid=chas,ou=people,dc=test,dc=com
Result: Success (0)
[chas@ldapsandbox log]$
As I said, I think Kerberos and LDAP are all working on their own...it's
the combination of the two doing the SASL passthrough that is
confounding me.
Seems like it's working for the wrong reasons, then. Your krb5.conf:
[libdefaults]
default_realm = KRBTEST
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
AKTEST = {
kdc = ldapsandbox.test.com:88
admin_server = ldapsandbox.test.com:749
default_domain = test.com
}
[domain_realm]
.agkn.net = KRBTEST
agkn.net = KRBTEST
You defined a kdc for an "AKTEST" realm; you don't actually have any kdc
defined for the "KRBTEST" realm so kinit should be failing.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
