-   Linux - Server (
-   -   Problem with kerberos sasl mapping in 389-ds? (

red888 01-09-2013 08:34 AM

Problem with kerberos sasl mapping in 389-ds?
I'm really pulling my hair out over this and have asked questions about this issue on multiple forums only to get 0 responses every time. All I ask is for least maybe some guidance to point me in the right direction. Or maybe someone could point out if this is just a poorly worded question so I could correct\add any information that would make it more palatable.

I have a fedora client that I am trying to authenticate to a centos server running 389 ds using kerberos.

I can run

kinit <my-user-principal>
on the fedora client successfully and get a ticket, and I can also make successful queries with

ldapsearch -x
using simple authentication, but no matter what I try I just cannot authenticate with kerberos to the 389 server.

whenever I try

ldapwhoami -I -Y GSSAPI
(this is of course after running kinit) I get the following error:


SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: test@LAB2.LOCAL
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)
Doing a klist I can see I have my tickets:


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@LAB2.LOCAL

Valid starting Expires Service principal
01/09/13 00:26:58 01/10/13 00:26:58 krbtgt/LAB2.LOCAL@LAB2.LOCAL
renew until 01/09/13 00:26:58
01/09/13 00:27:45 01/10/13 00:26:58 ldap/dp100srv1.lab2.local@LAB2.LOCAL
renew until 01/09/13 00:26:58
I can run the following command to confirm my 389 server is offering the GSSAPI security mech:

ldapsearch -H ldap://dp100srv1.lab2.local -x -b "" -s base -LLL supportedSASLMechanisms
Going to the 389 server I edited the nsslapd-accesslog-level attribute of cn=config to be 260 and when I checked the access log I found this ( is the IP of my fedora client):


tail -n 15 /var/log/dirsrv/slapd-dp100srv1/access
[09/Jan/2013:00:58:13 -0500] conn=130 fd=64 slot=64 connection from to
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 UNBIND
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 fd=64 closed - U1
What is BIND dn="" about? Is it trying to bind with a null DN?
The DN of my ldap user is:

The kerberos SPN is:

According to the 389 docs the default sasl maps that are already configured should be enough for my purposes.

Where else can I look to troubleshoot this?

Also, the fact that I have asked this question many different ways in other places and received no responses makes me think I am doing something wrong. Please let me know if\why this is a stupid or bad question and I'll try to fix it.

All times are GMT -5. The time now is 07:17 PM.