I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2 server using SASL/GSSAPI to authenticate. The setup works perfectly fine on Solaris clients, but not on Linux ones using OpenLDAP's ldapsearch (Debian sid on x86). Instead, it always gives the following error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188)
This error is coming from the DS server (right?), so I know this may not be OpenLDAP's problem. I was just wondering if anyone else had encountered this problem, or if there are any workarounds or anything, or if this is known to just not work at all.
I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this with ldapsearch 2.3.30 and 2.2.23.
-- Andrew Deason adeason2@uiuc.edu
Andrew Deason wrote:
I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2 server using SASL/GSSAPI to authenticate. The setup works perfectly fine on Solaris clients, but not on Linux ones using OpenLDAP's ldapsearch (Debian sid on x86). Instead, it always gives the following error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188)
This error is coming from the DS server (right?), so I know this may not be OpenLDAP's problem. I was just wondering if anyone else had encountered this problem, or if there are any workarounds or anything, or if this is known to just not work at all.
Yes, what you've posted indicates an error that came from the server. You would need to look at the error logs on the server to get a better idea what went wrong.
No, there's no particular reason why it would not work. Most likely you have a hostname or servicename misconfigured somewhere. It may help you to compare the output from klist on the different clients.
I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this with ldapsearch 2.3.30 and 2.2.23.
Usually a Kerberos-specific error code is several digits long. That error code 188 seems pretty odd. It may well be a Solaris errno value, but even then it shouldn't log as an Unknown code.
It seems you're going to have to ask Sun support for help on this one. Good luck.
-- Andrew Deason adeason2@uiuc.edu
--On Wednesday, January 31, 2007 9:18 PM -0800 Howard Chu hyc@symas.com wrote:
Andrew Deason wrote:
I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2 server using SASL/GSSAPI to authenticate. The setup works perfectly fine on Solaris clients, but not on Linux ones using OpenLDAP's ldapsearch (Debian sid on x86). Instead, it always gives the following error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188)
This error is coming from the DS server (right?), so I know this may not be OpenLDAP's problem. I was just wondering if anyone else had encountered this problem, or if there are any workarounds or anything, or if this is known to just not work at all.
Yes, what you've posted indicates an error that came from the server. You would need to look at the error logs on the server to get a better idea what went wrong.
No, there's no particular reason why it would not work. Most likely you have a hostname or servicename misconfigured somewhere. It may help you to compare the output from klist on the different clients.
I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this with ldapsearch 2.3.30 and 2.2.23.
Usually a Kerberos-specific error code is several digits long. That error code 188 seems pretty odd. It may well be a Solaris errno value, but even then it shouldn't log as an Unknown code.
It seems you're going to have to ask Sun support for help on this one. Good luck.
Another question is, are you using the *same* version of MIT kerberos everywhere. I've hit some really odd errors with SASL/GSSAPI and recent MIT Kerberos versions.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
It's been awhile since I posted this, but for the record (and if anyone encounters this in the future), this was a problem with the ldap/fqdn principal keytab on the DS server. It needed to have a weaker enctype (des-cbc-crc worked, though others probably do, as well), or else apparently Solaris couldn't handle it.
-- Andrew Deason adeason2@uiuc.edu
On Wed, 31 Jan 2007 17:35:47 -0600 Andrew Deason adeason2@uiuc.edu wrote:
I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2 server using SASL/GSSAPI to authenticate. The setup works perfectly fine on Solaris clients, but not on Linux ones using OpenLDAP's ldapsearch (Debian sid on x86). Instead, it always gives the following error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188)
This error is coming from the DS server (right?), so I know this may not be OpenLDAP's problem. I was just wondering if anyone else had encountered this problem, or if there are any workarounds or anything, or if this is known to just not work at all.
I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this with ldapsearch 2.3.30 and 2.2.23.
-- Andrew Deason adeason2@uiuc.edu
Andrew Deason wrote:
It's been awhile since I posted this, but for the record (and if anyone encounters this in the future), this was a problem with the ldap/fqdn principal keytab on the DS server. It needed to have a weaker enctype (des-cbc-crc worked, though others probably do, as well), or else apparently Solaris couldn't handle it.
Thanks for the followup. It's a bit puzzling still; where is the KDC hosted? The principal's record in the KDC should contain keys encoded with all of its supported enctypes. Changing the keytab on the server wouldn't change what type of service tickets the KDC issues, that would still be controlled by what the KDC knows and what the client supports.
At any rate, it's good to know that this is a problem area. Yet another reason not to use SunDS...
-- Andrew Deason adeason2@uiuc.edu
On Wed, 31 Jan 2007 17:35:47 -0600 Andrew Deason adeason2@uiuc.edu wrote:
I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2 server using SASL/GSSAPI to authenticate. The setup works perfectly fine on Solaris clients, but not on Linux ones using OpenLDAP's ldapsearch (Debian sid on x86). Instead, it always gives the following error:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code 188)
This error is coming from the DS server (right?), so I know this may not be OpenLDAP's problem. I was just wondering if anyone else had encountered this problem, or if there are any workarounds or anything, or if this is known to just not work at all.
I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this with ldapsearch 2.3.30 and 2.2.23.
-- Andrew Deason adeason2@uiuc.edu
openldap-software@openldap.org
-
Andrew Deason -
Howard Chu -
Quanah Gibson-Mount