I'm really pulling my hair out over this and have asked questions about this issue on multiple forums only to get 0 responses every time. All I ask is for least maybe some guidance to point me in the right direction. Or maybe someone could point out if this is just a poorly worded question so I could correct\add any information that would make it more palatable.
I have a fedora client that I am trying to authenticate to a centos server running 389 ds using kerberos.
I can run
Code:
kinit <my-user-principal>
on the fedora client successfully and get a ticket, and I can also make successful queries with
using simple authentication, but no matter what I try I just cannot authenticate with kerberos to the 389 server.
whenever I try
(this is of course after running kinit) I get the following error:
Quote:
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: test@LAB2.LOCAL
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)
|
Doing a klist I can see I have my tickets:
Quote:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@LAB2.LOCAL
Valid starting Expires Service principal
01/09/13 00:26:58 01/10/13 00:26:58 krbtgt/LAB2.LOCAL@LAB2.LOCAL
renew until 01/09/13 00:26:58
01/09/13 00:27:45 01/10/13 00:26:58 ldap/dp100srv1.lab2.local@LAB2.LOCAL
renew until 01/09/13 00:26:58
|
I can run the following command to confirm my 389 server is offering the GSSAPI security mech:
Quote:
ldapsearch -H ldap://dp100srv1.lab2.local -x -b "" -s base -LLL supportedSASLMechanisms
|
Going to the 389 server I edited the nsslapd-accesslog-level attribute of cn=config to be 260 and when I checked the access log I found this (172.16.86.200 is the IP of my fedora client):
Quote:
tail -n 15 /var/log/dirsrv/slapd-dp100srv1/access
[09/Jan/2013:00:58:13 -0500] conn=130 fd=64 slot=64 connection from 172.16.86.200 to 172.16.86.100
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 UNBIND
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 fd=64 closed - U1
|
What is BIND dn="" about? Is it trying to bind with a null DN?
The DN of my ldap user is:
Quote:
uid=test,ou=people,dc=lab2,dc=local
|
The kerberos SPN is:
According to the 389 docs the default sasl maps that are already configured should be enough for my purposes.
Where else can I look to troubleshoot this?
Also, the fact that I have asked this question many different ways in other places and received no responses makes me think I am doing something wrong. Please let me know if\why this is a stupid or bad question and I'll try to fix it.