On 1/16/20 8:05 PM, Quanah Gibson-Mount wrote:
--On Thursday, January 16, 2020 9:03 PM +0000 Prentice Bisbal pbisbal@princeton.edu wrote:
One of my coworkers just noticed that replication is broken between our primary and secondary LDAP servers. It appears to have been broken for about 1 week now. Nothing has changed relative to the LDAP configuration on either of our servers, so this is an odd thing to suddenly happen. When I look at the consumer with some debugging on, I see these messages (/usr/sbin/slapd -d 1638 was used to get these messages):
It looks like the consumer host/voltron-b.pppl.gov,cn=pppl.gov,cn=gssapi,cn=auth,is being rejected as not being authorized, but this has been working for years w/o issue. Any idea what has changed and how I may fix it?
Well, the error came from cyrus-sasl rather than OpenLDAP. This would indicate to me that the not authorized came from the KDC. Have you checked to ensure the keys in the keytab file haven't expired inside the KDC?
That's exactly what I suspected. We're using AD for our Kerberos Client, and one of our AD admins insists that it couldn't be expired credentials. I did use a utility called msktutil to make sure the kerberos tickets in /etc/krb5.keytab were up to date, but I'm still getting that error. Any ideas on how to prove/disprove what you suggest, so I can go back to my AD admins with more information?
-- Prentice