Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 01-09-2013, 08:34 AM   #1
LQ Newbie
Registered: Jan 2013
Posts: 6

Rep: Reputation: Disabled
Problem with kerberos sasl mapping in 389-ds?

I'm really pulling my hair out over this and have asked questions about this issue on multiple forums only to get 0 responses every time. All I ask is for least maybe some guidance to point me in the right direction. Or maybe someone could point out if this is just a poorly worded question so I could correct\add any information that would make it more palatable.

I have a fedora client that I am trying to authenticate to a centos server running 389 ds using kerberos.

I can run
kinit <my-user-principal>
on the fedora client successfully and get a ticket, and I can also make successful queries with
ldapsearch -x
using simple authentication, but no matter what I try I just cannot authenticate with kerberos to the 389 server.

whenever I try
ldapwhoami -I -Y GSSAPI
(this is of course after running kinit) I get the following error:

SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: test@LAB2.LOCAL
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)
Doing a klist I can see I have my tickets:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@LAB2.LOCAL

Valid starting Expires Service principal
01/09/13 00:26:58 01/10/13 00:26:58 krbtgt/LAB2.LOCAL@LAB2.LOCAL
renew until 01/09/13 00:26:58
01/09/13 00:27:45 01/10/13 00:26:58 ldap/dp100srv1.lab2.local@LAB2.LOCAL
renew until 01/09/13 00:26:58
I can run the following command to confirm my 389 server is offering the GSSAPI security mech:
ldapsearch -H ldap://dp100srv1.lab2.local -x -b "" -s base -LLL supportedSASLMechanisms
Going to the 389 server I edited the nsslapd-accesslog-level attribute of cn=config to be 260 and when I checked the access log I found this ( is the IP of my fedora client):

tail -n 15 /var/log/dirsrv/slapd-dp100srv1/access
[09/Jan/2013:00:58:13 -0500] conn=130 fd=64 slot=64 connection from to
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 UNBIND
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 fd=64 closed - U1
What is BIND dn="" about? Is it trying to bind with a null DN?
The DN of my ldap user is:
The kerberos SPN is:
According to the 389 docs the default sasl maps that are already configured should be enough for my purposes.

Where else can I look to troubleshoot this?

Also, the fact that I have asked this question many different ways in other places and received no responses makes me think I am doing something wrong. Please let me know if\why this is a stupid or bad question and I'll try to fix it.

Last edited by red888; 01-09-2013 at 08:47 AM. Reason: typo (wrong hostname in one of the commands)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh and kerberos error: Server not found in Kerberos database Felipe Linux - Server 1 01-17-2011 03:12 AM
Postfix/SASL/MySQL "SASL LOGIN authentication failed" Temujin_12 Linux - Server 8 10-04-2008 10:37 PM
Linux + Kerberos + Active Directory + Account UID Mapping? humbletech99 Linux - Networking 2 02-02-2008 06:30 AM
Fedora, cyrus imap / sasl, Kerberos, LDAP rhoekstra Linux - Security 0 01-26-2005 03:48 AM
sasl + kerberos bentz Linux - Security 0 10-21-2004 09:56 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:24 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration