On Wed, 2006-11-08 at 18:28 -0800, Howard Chu wrote:
snip
MIT Kerberos is known to work very poorly with OpenLDAP slapd. Heimdal is known to work well. On the client side, either one will work, but generally I would recommend using Heimdal.
I have heard that through other sources as well. I'm really just using MIT kerberos because it shipped with my distro. Can I move the kerberos database directly to Hemidal in the future?
snip
I figure this is one of three possible problems. 1 - saslauthd isn't working right
SASL-enabled servers don't talk to saslauthd to perform GSSAPI authentication, so that is out of the equation.
That's very interesting. If openldap and other sasl enabled services don't need saslauthd, what does use it? Just curious. Maybe it's something I can turn off.
2 - ldap isn't talking to sasl correctly
unlikely.
3 - I've done something wrong with my ldap quires.
possible.
Kerberos seems to work fine. I can get my credentials with kinit, and the GSSAPI credentials are working for ssh logins. Also, I can use testsaslauthd and get a success from the authd server.
Since you say kinit works, what tickets does klist show you having?
[sleepylight@minitop ~]$ klist Ticket cache: FILE:/tmp/krb5cc_502 Default principal: sleepylight@JIVE-TURKEY.NET
Valid starting Expires Service principal 11/08/06 23:42:04 11/09/06 23:42:04 krbtgt/JIVE-TURKEY.NET@JIVE-TURKEY.NET 11/08/06 23:42:12 11/09/06 23:42:04 ldap/ns.jive-turkey.net@JIVE-TURKEY.NET
Kerberos 4 ticket cache: /tmp/tkt502 klist: You have no tickets cached
I have some more information from playing around this afternoon. The first thing I found is that ldap authentication is still working for my Fedora 5 computers. The ldap queries for users are failing only for the Fedora 6 machine. Since the setups are identical except for releases, I submitted a bug report to redhat's bugzilla.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214679
There are two logs attached to the bug report which detail this problem. They are both kind of lengthy, so I won't list them here.
That having been said, I'm really really leaning toward me not setting up these queries correctly. ldapsearch is still failing regardless of whether or not logins are working, and they are failing with the same error messages.
Thanks for your quick response.