I have set KRB5_KTNAME in slapd startup script (/etc/default/slapd):
export KRB5_KTNAME=/etc/ldap/ldap.keytab
it's to separate system keytab from LDAP's. Anyway, that is a different error.
Matej
On 12/06/2010 02:30 PM, Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Do you mind showing us your slapd configuration, and also your sasl configuration?
My mistake, I was busy at work, and misunderstood. No need for SASL unless you use userPassword: {SASL}user@realm
I've generated keytab file with ldap/my.ldap.host principal and put it in /etc/ldap/ldap.keytab
Is your server configured to have the keytab in /etc/ldap/ldap.keytab? I use mine from /etc/krb5.keytab normally. See below for more
Because I don't use {SASL} password scheme, there is no special SASL configuration. Usage is like this (client):
ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
What command do you use to generate this error? Do you have a krb5 ticket granted? You can check with klist.
I tried google the problem, but it didn't help.
http://www.openldap.org/doc/admin24/appendix-common-errors.html
That lists the error you have, but it may not be the correct fix you need.
Look at section c.2.4 and c.1.21
Hope this helps you, and gets you on the right track.
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQIcBAEBAgAGBQJM/OVdAAoJEHF16AnLoz6JM9UQAJ4wdyS9Hzw0pT6dQDLzXHfu o/JQEx+o3ZbxTpjWxhGWW2ha69ztOoDWxK5x2M0HbfWWedrZ4Ov/vKwRlYW+eQQe vWwKyeanmt+a4Tl/+M69qWGOe9VT7bXR9FRgXcXED5czTssmkX9fdX0ShBDh+rnc Nb3Y1lDZGtqGZFQ+klE9eVpjkejtf9wdcQIQehJ+JmDwxt6n10sFwr0iNu2tszJe AHgft3hGoyde17qUH2r346/JhztCrseGaYAdbAW+TFXF/mz0JekW2zy52VfDSe3p 9wIAPL6P7urOige9Fb/U+GhFUmEyGcF1nlagnQrD8BN3hOTGGmGaFUxbbz0qN+ox OTt+A07kdkwGAOqfWG1onrc1Tn/4cE9sh4X/ZuomNKRXIoQXqET0KFMEC0edocvP MhWS6Dtl/8Xr1yv4SGS1rR9ACOK3JXWntQRV0JaxXtDTIbXhptYxc2lGSdqg0EBw Pl3W5f22c5xbZ9IGjRNCr8Q5DfpjoFxpfgHa3w9kotJ+s/4V79Wrgd+sMyLxfj2Y HccC9/3rGKRJVdJHSkiKhAI8FgqyKt0bmbsa3t3rOlp2NCnwjGPVBUPYxXzJpmQ3 15tMDgTSle1AjUCfVY8VOuB2+noUJRK+1HzfPgz3apdI5d8jQgKss+XUKDWXcejS ThTZv6+MqRdUbbJEyjR2 =i86w -----END PGP SIGNATURE-----