On 21/01/11 17:51 +0100, Thomas Schweikle wrote:
Am 21.01.2011 17:17, schrieb Dan White:
On Debian based systems, it's renamed as saslpluginviewer. It's located in the sasl2-bin package. The GSSAPI mechanism is installed in one of:
libsasl2-modules-gssapi-heimdal libsasl2-modules-gssapi-mit
Package sasl2-bin wasn't installed, libsasl2-modules-gssapi-mit was. Now I have:
Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56 security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
#ldapsearch -LLL -x -H ldap://srv.example.com -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
#ldapsearch -Y GSSAPI -LLL -H ldap://srv.example.com -s "base" -b "" supportedSASLMechanisms SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)
Within the credentials cache: #klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user@XOMPU.DE
Valid starting Expires Service principal 01/21/11 11:32:03 01/21/11 21:32:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 01/22/11 11:31:58 01/21/11 16:20:04 01/21/11 21:32:03 host/srv.example.com@EXAMPLE.COM renew until 01/22/11 11:31:58 01/21/11 16:46:15 01/21/11 21:32:03 ldap/srv.example.com@EXAMPLE.COM renew until 01/22/11 11:31:58
I keep getting Permission Denied errors.
That error (Permission denied) may be generated by the server. Verify that the keytab file you're using is readable by the openldap user or group.