I'm looking for a little help concerning the below error I get when I
do an ldapsearch:
root@mytest:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information ()
That error is pretty generic to me and the searching I've done to
find a solution has not yielded anything successful. I have MIT
Kerberos and SASL setup and I'm able to successfully get a TGT from
any machine that can see my KDC. I also can successfully search my
ldap directory using simple authentication. I've run the
sasl-sample-client and server between several machines including:
ldap server to krb server, test server to krb server, test server to
ldap server, etc. I can complete the sasl test on every one.
Running slapd in debug mode doesn't provide me with any additional
information:
root@baneling:~# slapd -h "ldap:/// ldapi:///" -d 256
5371865b @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $
root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
5371865c slapd starting
53718672 conn=1000 fd=13 ACCEPT from IP=10.1.10.10:53839
(IP=0.0.0.0:389) 53718672 conn=1000 op=0 BIND dn="" method=163
53718672 SASL [conn=1000] Failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information ()
53718672 conn=1000 op=0 RESULT tag=97 err=80 text=SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information ()
53718672 conn=1000 op=1 UNBIND
53718672 conn=1000 fd=13 closed
53718672 connection_read(13): no connection!
I do have the keytab in a non-standard location on the ldap server
(/etc/ldap/ldap.keytab), so I modified /etc/default/slapd and
restarted slapd. I'm not really sure what I can provide from my
cn=config that would help diagnose this issue let me know and I can
respond with the details.
Here is my ldap.conf from the server I'm running the ldapsearch from
(my test server):
root@mytest:~# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=harmonywave,dc=com
URI ldap://baneling.harmonywave.com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca.harmonywave.com.pem
TLS_REQCERT demand
TLS_CHECKPEER yes
TLS_CIPHER_SUITE SECURE256
# LDAP sudo settings
sudoers_base ou=SUDOers,dc=harmonywave,dc=com
# SASL Kerberos settings
SASL_MECH GSSAPI
SASL_REALM HARMONYWAVE.COM