[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP/Kerberos/GSSAPI Error:Hostname cannot be canonicalized

On Tue,  1 Jul 2008 14:01:13 +0200 (CEST)
<fmayer@gmx.de> wrote:

> Hi list,
> I am trying to setup a LDAP-Server with SASL and Kerberos-authentication via
> GSSAPI. The Systems are running debian etch unsing the heimdal-implementation.
> As far as I see, most things (ldap, sasl, kerberos) seem to be set up and
> running but there is some kind misconfiguration: When I try to access the
> ldap-sever (having received a kerberos-ticket by "kinit fmayer" previously) I
> get an error-message:
> (a little bit anonymized)
> > fmayer@client:~$ klist
> > Credentials cache: FILE:/tmp/krb5cc_1002
> >	  Principal: fmayer@TESTREALM.LOCAL
> > 
> >   Issued	     Expires	      Principal
> > Jul  1 11:36:15  Jul	1 21:48:25  krbtgt/TESTREALM.LOCAL@TESTREALM.LOCAL
> > 
> > fmayer@client:~$ ldapsearch
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> >	  additional info: SASL(-1): generic failure: GSSAPI Error: An invalid
> name was supplied
> >	  (Hostname cannot be canonicalized)
> I believe, that this is a kerberos-misconfiguation, since LDAP worked fine with
> Both, machines as well as the ldap-service, do have a principal-entry in the
> kerberos-database and the names of the machines are being found in via the DNS.
> Currently a little bit puzzeled, what is going wrong, when (certainly) the
> server complains, that a "Hostname cannot be canonicalized". Searching with
> google with these keywords does not lead to anything useful.
> Could anyone give me a hint, what is possibly going wrong in the configuration?
> Of course I could have added some more debug-information from either the
> log-file and/or by using the "-d"-switch - but I do not want to spam the list,
> especially not in the first posting :)

What do you get from:

  $ hostname -f



Michael B Allen
PHP Active Directory SPNEGO SSO