Am Mon, 12 May 2014 20:52:14 -0600 schrieb Joshua Schaeffer <[email protected]>:
> I'm looking for a little help concerning the below error I get when I > do an ldapsearch: > > root@mytest:~# ldapsearch -Y GSSAPI > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) > error (80) > additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information () > > That error is pretty generic to me and the searching I've done to > find a solution has not yielded anything successful. I have MIT > Kerberos and SASL setup and I'm able to successfully get a TGT from > any machine that can see my KDC. I also can successfully search my > ldap directory using simple authentication. I've run the > sasl-sample-client and server between several machines including: > ldap server to krb server, test server to krb server, test server to > ldap server, etc. I can complete the sasl test on every one. > Running slapd in debug mode doesn't provide me with any additional > information: > > root@baneling:~# slapd -h "ldap:/// ldapi:///" -d 256 > 5371865b @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ > root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd > 5371865c slapd starting > 53718672 conn=1000 fd=13 ACCEPT from IP=10.1.10.10:53839 > (IP=0.0.0.0:389) 53718672 conn=1000 op=0 BIND dn="" method=163 > 53718672 SASL [conn=1000] Failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information () > 53718672 conn=1000 op=0 RESULT tag=97 err=80 text=SASL(-1): generic > failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information () > 53718672 conn=1000 op=1 UNBIND > 53718672 conn=1000 fd=13 closed > 53718672 connection_read(13): no connection! > > I do have the keytab in a non-standard location on the ldap server > (/etc/ldap/ldap.keytab), so I modified /etc/default/slapd and > restarted slapd. I'm not really sure what I can provide from my > cn=config that would help diagnose this issue let me know and I can > respond with the details. > > Here is my ldap.conf from the server I'm running the ldapsearch from > (my test server): > > root@mytest:~# cat /etc/ldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > BASE dc=harmonywave,dc=com > URI ldap://baneling.harmonywave.com > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > > # TLS certificates (needed for GnuTLS) > TLS_CACERT /etc/ssl/certs/ca.harmonywave.com.pem > TLS_REQCERT demand > TLS_CHECKPEER yes > TLS_CIPHER_SUITE SECURE256 > > # LDAP sudo settings > sudoers_base ou=SUDOers,dc=harmonywave,dc=com > > # SASL Kerberos settings > SASL_MECH GSSAPI > SASL_REALM HARMONYWAVE.COM Does klist show a ldap service principal? -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
