Hi folks, I'm having a real hard time debugging this. I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7 box. I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I clso check permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
Any help would be greatly appreciated :) ******************************************* *******************************************
[installer@trixter ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
******************************************* *******************************************
[installer@trixter ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: installer@HYMESRUZICKA.ORG
Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG@HYMESRUZICKA.ORG 01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org@HYMESRUZICKA.ORG
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
******************************************* *******************************************
[installer@trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never
******************************************* *******************************************
******************************************* *******************************************
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessable. Actually I'm surprized that strace does no show any attempts to open the keytabs or anything in /etc/openldap/cacerts...
Thanks!
Listbox
Are you able to kinit? For testing only, please change the /etc/krb5.keytab to 644 ( please change it back to 600 when you finish testing) and then restart slapd. Did it work? Could you tail -f /var/log/syslog?
Thank you
Amir
From: listbox@hymerfania.com To: openldap-software@openldap.org Subject: LDAP config problem with GSSAPI: No such file or directory Date: Tue, 15 Jan 2008 14:52:07 -0800
Hi folks, I'm having a real hard time debugging this. I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7 box. I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I clso check permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
Any help would be greatly appreciated :)
[installer@trixter ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
[installer@trixter ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: installer@HYMESRUZICKA.ORG
Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG@HYMESRUZICKA.ORG 01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org@HYMESRUZICKA.ORG
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
[installer@trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessable. Actually I'm surprized that strace does no show any attempts to open the keytabs or anything in /etc/openldap/cacerts...
Thanks!
Listbox
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Yes, I can kinit, I already tried making /etc/krb5.keytab world readable, it did not change the "No such file" error. However, should it be owned by root or my slapd user? [root@trixter ~]# ll /etc/krb5.keytab -rw-r--r-- 1 root root 712 2008-01-15 13:00 /etc/krb5.keytab
The logs I check are /var/log/messages slapd and krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did not stop the error. I guess I'll try turning SELINUX off, and see if that makes any difference.
BTW: Here's the command with debug on:
[installer@trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.3:11562 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=trixter.hymesruzicka.org SASL/GSSAPI authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 589 bytes to sd 3 ldap_result ld 0x8d82038 msgid 1 ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL wait4msg ld 0x8d82038 msgid 1 (infinite timeout) wait4msg continue ld 0x8d82038 msgid 1 all 1 ** ld 0x8d82038 Connections: * host: trixter.hymesruzicka.org port: 11562 (default) refcnt: 2 status: Connected last used: Wed Jan 16 10:11:11 2008
** ld 0x8d82038 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8d82038 Response Queue: Empty ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL ldap_int_select read1msg: ld 0x8d82038 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 148 contents: read1msg: ld 0x8d82038 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x8d82038 0 new referrals read1msg: mark request completed, ld 0x8d82038 msgid 1 request done: ld 0x8d82038 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
_____
From: openldap-software-bounces+listbox=hymerfania.com@OpenLDAP.org [mailto:openldap-software-bounces+listbox=hymerfania.com@OpenLDAP.org] On Behalf Of Amir Saad Sent: Tuesday, January 15, 2008 11:15 PM To: Listbox; openldap-software@openldap.org Subject: RE: LDAP config problem with GSSAPI: No such file or directory
Are you able to kinit? For testing only, please change the /etc/krb5.keytab to 644 ( please change it back to 600 when you finish testing) and then restart slapd. Did it work? Could you tail -f /var/log/syslog?
Thank you
Amir
From: listbox@hymerfania.com To: openldap-software@openldap.org Subject: LDAP config problem with GSSAPI: No such file or directory Date: Tue, 15 Jan 2008 14:52:07 -0800
Hi folks, I'm having a real hard time debugging this. I'm a newbie, trying to do a new ldap+kerberos install , on a new Fedora 7 box. I can't get ldapsearch or ldapwhoami to work locally. I thought it
was
a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I clso check permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does! not.
Any help would be greatly appreciated :)
[installer@trixter ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3
.34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
[installer@trixter ~]$ klist Ticket cache: FILE! :/tmp/krb5cc_500 Default principal: installer@HYMESRUZICKA.ORG
Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG@HYMESRUZICKA.ORG 01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org@HYMESRUZICKA.ORG
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
[installer@trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never
****! ***************************************
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does
not
show which resource is not accessable. Actually I'm surprized that strace does no show any attempts to open the keytabs or anything in /etc/openldap/cacerts...
Thanks!
Listbox
_____
Express yourself instantly with MSN Messenger! MSN http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/ Messenger
On Wednesday 16 January 2008 20:15:36 Listbox wrote:
Yes, I can kinit, I already tried making /etc/krb5.keytab world readable, it did not change the "No such file" error. However, should it be owned by root or my slapd user? [root@trixter ~]# ll /etc/krb5.keytab -rw-r--r-- 1 root root 712 2008-01-15 13:00 /etc/krb5.keytab
The logs I check are /var/log/messages slapd and krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did not stop the error. I guess I'll try turning SELINUX off, and see if that makes any difference.
BTW: Here's the command with debug on:
[installer@trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder@xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2. 3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333)
[...]
ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory)
The "Minor code" error message comes from the GSSAPI layer, the best place to look for information on this is in your kdc log file. While you won't see a client error, you may see requests for unexpected tickets etc., which would require you to fix configuration of non-LDAP issues (e.g. reverse DNS lookups etc.).
Regards, Buchan
openldap-software@openldap.org
-
Amir Saad -
Buchan Milne -
Listbox