[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized



Hi list,
I am trying to setup a LDAP-Server with SASL and Kerberos-authentication via
GSSAPI. The Systems are running debian etch unsing the heimdal-implementation.

As far as I see, most things (ldap, sasl, kerberos) seem to be set up and
running but there is some kind misconfiguration: When I try to access the
ldap-sever (having received a kerberos-ticket by "kinit fmayer" previously) I
get an error-message:

(a little bit anonymized)
> fmayer@client:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1002
>	  Principal: fmayer@TESTREALM.LOCAL
> 
>   Issued	     Expires	      Principal
> Jul  1 11:36:15  Jul	1 21:48:25  krbtgt/TESTREALM.LOCAL@TESTREALM.LOCAL
> 
> fmayer@client:~$ ldapsearch
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>	  additional info: SASL(-1): generic failure: GSSAPI Error: An invalid
name was supplied
>	  (Hostname cannot be canonicalized)

I believe, that this is a kerberos-misconfiguation, since LDAP worked fine with
the SASLMech EXTERNAL.

Both, machines as well as the ldap-service, do have a principal-entry in the
kerberos-database and the names of the machines are being found in via the DNS.
Currently a little bit puzzeled, what is going wrong, when (certainly) the
server complains, that a "Hostname cannot be canonicalized". Searching with
google with these keywords does not lead to anything useful.

Could anyone give me a hint, what is possibly going wrong in the configuration?
Of course I could have added some more debug-information from either the
log-file and/or by using the "-d"-switch - but I do not want to spam the list,
especially not in the first posting :)

Any idea is highly welcome & kind regards,
Frank