Brian Candler B.Candler@pobox.com writes:
Config 3
olcSaslRealm: WS.NSRC.ORG krb5.conf default realm: FOO.NSRC.ORG result: auth fails!
# ldapsearch SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)
Now this seems odd; presumably slapd is only trying to use a keytab entry of ldap/noc.ws.nsrc.org@FOO.NSRC.ORG (which doesn't exist)
My understanding is that modern kerberos apps should just try all keys in the keytab until they find one which decrypts the ticket. http://mailman.mit.edu/pipermail/kerberos/2010-December/016797.html
Cyrus SASL doesn't. This is a long-standing bug in Cyrus SASL that we patch locally at Stanford. (It's a simple one-line patch.) It really needs to be fixed upstream in Cyrus SASL.
But in any case, shouldn't it use olcSaslRealm in preference to the krb5.conf default realm? (I'd expect the default realm to be used if olcSaslRealm were empty though)
I don't believe there's any way to pass that information down into Cyrus SASL, so there isn't anything OpenLDAP can do. Cyrus SASL forces using the hostname unless you patch it to not be stupid.