Yes, it does on the server I'm testing from:
root@mytest:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: jschaeffer@HARMONYWAVE.COM
Valid starting Expires Service principal 12/05/2014 20:32 13/05/2014 06:32 krbtgt/HARMONYWAVE.COM@HARMONYWAVE.COM renew until 13/05/2014 20:32 12/05/2014 20:32 13/05/2014 06:32 ldap/baneling.harmonywave.com@HARMONYWAVE.COM renew until 13/05/2014 20:32
On 05/13/2014 12:26 AM, Dieter Klünter wrote:
Am Mon, 12 May 2014 20:52:14 -0600 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
I'm looking for a little help concerning the below error I get when I do an ldapsearch:
root@mytest:~# ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()
That error is pretty generic to me and the searching I've done to find a solution has not yielded anything successful. I have MIT Kerberos and SASL setup and I'm able to successfully get a TGT from any machine that can see my KDC. I also can successfully search my ldap directory using simple authentication. I've run the sasl-sample-client and server between several machines including: ldap server to krb server, test server to krb server, test server to ldap server, etc. I can complete the sasl test on every one. Running slapd in debug mode doesn't provide me with any additional information:
root@baneling:~# slapd -h "ldap:/// ldapi:///" -d 256 5371865b @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd 5371865c slapd starting 53718672 conn=1000 fd=13 ACCEPT from IP=10.1.10.10:53839 (IP=0.0.0.0:389) 53718672 conn=1000 op=0 BIND dn="" method=163 53718672 SASL [conn=1000] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () 53718672 conn=1000 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () 53718672 conn=1000 op=1 UNBIND 53718672 conn=1000 fd=13 closed 53718672 connection_read(13): no connection!
I do have the keytab in a non-standard location on the ldap server (/etc/ldap/ldap.keytab), so I modified /etc/default/slapd and restarted slapd. I'm not really sure what I can provide from my cn=config that would help diagnose this issue let me know and I can respond with the details.
Here is my ldap.conf from the server I'm running the ldapsearch from (my test server):
root@mytest:~# cat /etc/ldap/ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=harmonywave,dc=com URI ldap://baneling.harmonywave.com
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
# TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca.harmonywave.com.pem TLS_REQCERT demand TLS_CHECKPEER yes TLS_CIPHER_SUITE SECURE256
# LDAP sudo settings sudoers_base ou=SUDOers,dc=harmonywave,dc=com
# SASL Kerberos settings SASL_MECH GSSAPI SASL_REALM HARMONYWAVE.COM
Does klist show a ldap service principal?
-Dieter