[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP / SASL / Heimdal

To: Andreas Haupt <andreas.haupt@hmi.de>
Subject: Re: OpenLDAP / SASL / Heimdal
From: sam <samwun@hgcbroadband.com>
Date: Mon, 07 Jun 2004 20:29:05 +0800
Cc: heimdal-discuss@sics.se
In-Reply-To: <200406071344.20769.andreas.haupt@hmi.de>
References: <200406071242.01432.andreas.haupt@hmi.de> <200406071344.20769.andreas.haupt@hmi.de>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316

Andreas Haupt wrote:

>Am Montag, 7. Juni 2004 12:42 schrieb Andreas Haupt:
>  
>
>>Hello,
>>
>>I'm trying to setup OpenLDAP with SASL2 and Heimdal. When trying to
>>authenticate I get the following error in the log files:
>>
>>2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
>>dice.hmi.de@HMI.DE
>>2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
>>dice.hmi.de@HMI.DE
>>2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
>>request
>>2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
>>request
>>2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>>2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>>
>>I don't have a clue what this means and how I can avoid the problem...
>>Heimdal server is version 0.6 (SuSE 9.0).
>>    
>>
>
>It seems this is related to the latest security update done by SuSE. After 
>downgrading I got another (not so crypted) error:
>
>blh@dice:~> ldapsearch -x -H ldap://dice.hmi.de/  -b "" -s base -LLL 
>supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: GSSAPI
>
>blh@dice:~> ldapwhoami -H ldap://dice.hmi.de/ -D "cn=dice,dc=hmi,dc=de" -Y 
>GSSAPI
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>        additional info: SASL(-13): authentication failure: GSSAPI 
>Failure: gss_accept_sec_context
>blh@dice:~> klist
>Credentials cache: FILE:/tmp/krb5cc_10296
>        Principal: blh@HMI.DE
>
>  Issued           Expires          Principal            
>Jun  7 13:07:21  Jun  8 14:07:21  krbtgt/HMI.DE@HMI.DE   
>Jun  7 13:32:38  Jun  8 14:07:21  ldap/dice.hmi.de@HMI.DE
>blh@dice:~> 
>
>So I got a ticket. The rest is hopefully not complicated...
>
>Greetings
>Andreas
>
>  
>
Can you test whether uesr blh can login to blh itself first? like this:
blh$ telnet -ax -l blh dice.hmi.de
The login should go ahead without asking blh's password.
Also keep track of yoru kerberos log file while doing the above test. In 
my system I used the following command to keep track of the kerberos log 
file:
tail -f /var/log/krb5kde.log
If you don't see any message written to the log file while doing telnet 
-ax to dice, your kerberos server is not working.
If the telnet -ax is working without typing password, re-populate your 
ldif file with the followoing entries:
==== cut this to your file as rootdn.ldif ==========
dn: dc=dice,dc=hmi,dc=de
objectClass: dcObject
objectClass: organization
dc: dice
o: My Play Ground
description: My Play Ground  LDAP Database

# Administrative user for SoM Ldap database
dn: cn=root,dc=dice,dc=hmi,dc=de
objectClass: organizationalRole
cn: root
description: SuperUser for Ldap Services
============end if rootdn.ldif==================

In your DNS setup, make sure dice is the offical host name not a CNAME. 

sam

Follow-Ups:
- Re: OpenLDAP / SASL / Heimdal
  - From: Andreas Haupt <andreas.haupt@hmi.de>

References:
- OpenLDAP / SASL / Heimdal
  - From: Andreas Haupt <andreas.haupt@hmi.de>
- Re: OpenLDAP / SASL / Heimdal
  - From: Andreas Haupt <andreas.haupt@hmi.de>

Prev by Date: Re: OpenLDAP / SASL / Heimdal
Next by Date: Re: OpenLDAP / SASL / Heimdal
Prev by thread: Re: OpenLDAP / SASL / Heimdal
Next by thread: Re: OpenLDAP / SASL / Heimdal
Index(es):
- Date
- Thread