LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-17-2008, 11:10 AM   #1
charlweed
Member
 
Registered: Jan 2005
Posts: 35

Rep: Reputation: 15
LDAP config problem with GSSAPI: No such file or directory


Hi folks,
I'm having a real hard time debugging this.
I'm trying to do a new ldap+kerberos install , on a new Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I also checked permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.

I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessible. Actually I'm surprised that strace does not show any attempts to open the keytabs or anything in /etc/openldap/cacerts...

I tried making briefly making /etc/krb5.keytab world readable, it did not change the "No such file" error.
The logs I check are /var/log/messages slapd and krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did not stop the error. I guess I'll try turning SELINUX off, and see if that makes any difference.

Any help would be greatly appreciated
*******************************************
*******************************************

[installer@trixter ~]$ ldapwhoami -V -Y GSSAPI
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3.34/openldap-2.3.34/build-clients/clients/tools
(LDAP library: OpenLDAP 20333)
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)

*******************************************
*******************************************

[installer@trixter ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: installer@HYMESRUZICKA.ORG

Valid starting Expires Service principal
01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG@HYMESRUZICKA.ORG
01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org@HYMESRUZICKA.ORG


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

*******************************************
*******************************************

[installer@trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable.
BASE dc=hymesruzicka,dc=org
URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#SIZELIMIT 12
TIMELIMIT 5
#DEREF never


*******************************************
*******************************************

BTW: Here's the command with debug on:
[installer@trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3.34/openldap-2.3.34/build-clients/clients/tools
(LDAP library: OpenLDAP 20333)
ldap_create
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.3:11562
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=trixter.hymesruzicka.org
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 589 bytes to sd 3
ldap_result ld 0x8d82038 msgid 1
ldap_chkResponseList ld 0x8d82038 msgid 1 all 1
ldap_chkResponseList returns ld 0x8d82038 NULL
wait4msg ld 0x8d82038 msgid 1 (infinite timeout)
wait4msg continue ld 0x8d82038 msgid 1 all 1
** ld 0x8d82038 Connections:
* host: trixter.hymesruzicka.org port: 11562 (default)
refcnt: 2 status: Connected
last used: Wed Jan 16 10:11:11 2008

** ld 0x8d82038 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8d82038 Response Queue:
Empty
ldap_chkResponseList ld 0x8d82038 msgid 1 all 1
ldap_chkResponseList returns ld 0x8d82038 NULL
ldap_int_select
read1msg: ld 0x8d82038 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
read1msg: ld 0x8d82038 msgid 1 message type bind
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8d82038 0 new referrals
read1msg: mark request completed, ld 0x8d82038 msgid 1
request done: ld 0x8d82038 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eaa) ber:
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
 
Old 01-17-2008, 12:44 PM   #2
charlweed
Member
 
Registered: Jan 2005
Posts: 35

Original Poster
Rep: Reputation: 15
Someone helped me with the solution.

I have FDS 1.1 , and

"KRB5_KTNAME=/var/kerberos/krb5kdc/fdirsrv.keytab ; export KRB5_KTNAME"

was already in /etc/sysconfig/dirsrv. Unfortunately, I was trying to put

"export KRB5_KTNAME=/etc/dirsrv/slapd-trixter/fdirsrv.keytab"

in my dirsrv startup script, and that was where the keytab actually was. But I moved it, and cleaned up the startup script, and it worked. I don't understand why this did not show up in any of the dirsrv logs, but I'll take the solution.

Now krb5kdc is reporting a "Clock skew too great" error, which is very strange, everything is on the same host: kr5kcd, dirserv, and ldap client.

C.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with LDAP auth and Active Directory Ryan100 Red Hat 1 10-27-2006 03:50 PM
Makefile:415:.config: no such file or directory status1 Linux From Scratch 11 09-23-2006 01:54 PM
qmail-ldap problem:qldap.c:36:18: lber.h: No such file or directory qldap.c:37:18: ld Niceman2005 Linux - Software 0 03-23-2006 02:25 AM
ldap SASL GSSAPI , unknown authorization mechanism mesh2005 Linux - Networking 0 11-20-2005 08:16 AM
Config File in build directory dwessell Mandriva 1 05-08-2004 07:39 PM


All times are GMT -5. The time now is 04:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration