Hi everybody. i was able to be authenticated to kerberos. my problem was not on the config but on my client machine.
there is some packages missied. so i deleted all packages related to krb5. and i installed these three ones: krb5-user heimdal-kcm heimdal-kdc kinit [email protected] worked on my Client machine. my question now, is how to authenitcate users by their login/password when their machine started up. i'm really newbee in kerberos and apacheds (3 weeks). behind this i would like to serve some filesystem using samba. is there a way to configure apacheds in order to do such stuff? ------ client| user tapes his login/pwd export filesystem login |-------------------------------|Apache DS |-----------------------|Samba / NFS| ------ Ckeck the user in LDAP directory Tells samba server what to serve to the user Hope that i'm clear. Thank you guys. ----- Mail original ----- De: "Stefan Seelmann" <[email protected]> À: [email protected] Envoyé: Lundi 28 Juin 2010 17:18:02 Objet: Re: ApacheDS and kerberos problems > i tried to authenticate the same user using apache directory Studio i > got GSSAPI erros: > > L'authentification a échouée (authentication failed in english) > - GSSAPI > javax.naming.AuthenticationException: GSSAPI [Root exception is > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server > not found in Kerberos database (7) - Server not found in Kerberos > database)]] ... > my connection settings are: > for the first screen: > as i work on distant workstation: > i put in the network parameters: > hostname 10.0.10.22 (ip address of my Apache DS) > port 10389 Seems there is a problem to locate the service principal for the LDAP service. Kerberos is very accurate regarding host names, if possible use the FQDN instead of the IP address. Also make sure that the clock on your machines is in sync. Please check: - the LDAP server principal (uid=ldap,ou=Users,dc=example,dc=com) must not contain "localhost" but your FQDN (or IP address) - same for attributes saslHost and saslPrincipal in server.xml Also check the ApacheDS logs (with enabled debug log level as described in the docu) which service principals are used in lookups. > so i tried also to run this command on the server : ldapsearch -b > "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI > i got this output: > # ldapsearch -b "dc=example,dc=com" "(uid=hnelson)" > -Y > GSSAPI > ldap_sasl_interactive_bind_s: Unknown > authentication > method (-6) Same as above, check the logs and make sure the service principals use the right host names. An additional note: when using ldapsearch you need to set SSF to 0 ldapsearch ... -Y GSSAPI -O "maxssf=0" This seems to be a bug in ApacheDS... HTH, Stefan
