Sorry for my ignorance on openldap GSSAPI mechanism, and just now, I
tried and I think I found why.
On another machine, I need to config the realms in /etc/krb5.conf, so
the machine knows where the kdc is.
After that, I ran "kinit user", and then ldapsearch worked fine.
Thank you a lot for your reply.
On Thu, Feb 11, 2010 at 12:38 PM, Dan White <dwhite(a)olp.net> wrote:
On 10/02/10 23:41 -0600, huican ping wrote:
> This is a dummy question. I just newly contacted with sasl+krb5 with
> ldap. Can anyone else kindly people tell me how to make ldapsearch
> working from other machine? E.g, what kind of setup/procedure I should
> do on the other machine before I can do ldapsearch with gssapi
> Output when run on the different machine
> /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001
> -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Unknown code krb5 7)
I don't know what "Unknown code krb5 7" means, but I would make sure:
You have a local credentials cache (klist)
You have received a ticket for the LDAP service pricipal
You are referencing the server using the same name as its service principal
You have forward and reverse DNS setup for both the server and client
I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend
referencing the server by DNS name, unless the server really is using a
service principal with that IP address.