using ldapsearch gettting Invalid credentials (49) error

p1111a · 05-04-2009, 02:17 PM

Hello all,

I have been trying to get this to work for sometime now and need some suggestions, please.

I have a RHEL 5 environment (under VMware) and have been able to get kerberos and ldap to work correctly using simple authentication (-x). However, when I use gssapi via the ldapsearch command I get the following error:

ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

I don't see anything in the kerberos log when I run the ldapsearch command, which I assume indicates a problem with the ldap server (or other).
Please let me know if there is anymore information I can provide.

Thanks in advance.

archangel_617b · 05-05-2009, 12:59 PM

I can't say I can offer too much help, but since nobody else has responded, I'll put in my two cents...

Can you show what tickets you've got from klist? Have you got all your service principals etc setup?

- Arch

p1111a · 05-05-2009, 02:25 PM

Thank you for the reply. I do have a tgt from the kerberos server. And (I think) I have the appropriate service principal. Here you go:

[root@gateway1-vm openldap]# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testldap1@SYSENGLAB.NET

Valid starting Expires Service principal
05/05/09 12:13:34 05/06/09 12:13:34 krbtgt/SYSENGLAB.NET@SYSENGLAB.NET
05/05/09 12:13:51 05/06/09 12:13:34 ldap/gateway1-vm

Thanks again.

p1111a · 05-15-2009, 05:44 PM

I have figured out the problem. I decided to go through my entire DNS setup and changed the resolve address to return FQDN for each host. After this I was able to run the command (ldapsearch) and do what I initially intended....which was to be able to SSO (single sign on) using a completely RHEL 5 environment.
The issue here is that my company (for what ever reason) at one point (before I took over the ldap/kerberos administration) decided to use short names for the reverse lookups. This worked for a long time until we decided to go with RHEL 5 and SSO stopped working so I was forced to revisit the entire ldap/kerberos envirnment.

Thanks for the replies.... - PJM