Hello,
I struggle with an Debian GNU/Linux (Lenny) and
* slapd 2.4.11-1 * heimdal-kdc 1.2.dfsg.1-2.1 * libsasl2-modules-gssapi-heimdal 2.1.22.dfsg1-23
With this configuration:
/etc/ldap/slapd.conf: # Kerberos Configuration sasl-host kerberos.lab.swapon.de sasl-realm LAB.SWAPON.DE
# Mapping Kerberos Authentication Identities authz-regexp uid=([^,]*),cn=lab.swapon.de,cn=gssapi,cn=auth ldap:///ou=people,dc=lab,dc=swapon,dc=de??one?(&(uid=$1)(objectClass=person))
/etc/ldap/sasl2/slapd.conf: mech_list: GSSAPI log_level: 7
Then I get a kerberos ticket and start ldapsaerch:
$ ldapsearch -H ldaps://ldap.lab.swapon.de/ SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
The slapd logfile isn't very helpfull:
slapd[11480]: conn=2 fd=14 ACCEPT from IP=[2001:6f8:12ec:11::389:fefe]:60487 (IP=[2001:6f8:12ec:11::389:fefe]:636) slapd[11480]: conn=2 fd=14 TLS established tls_ssf=128 ssf=128 slapd[11480]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" slapd[11480]: conn=2 op=0 SRCH attr=supportedSASLMechanisms slapd[11480]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[11480]: conn=2 op=1 BIND dn="" method=163 slapd[11480]: SASL [conn=2] Failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown) slapd[11480]: conn=2 op=1 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown) slapd[11480]: conn=2 fd=14 closed (connection lost)
The KDCs logfile is more interesting:
Authentication Server Request from slapd (successfull): 14:37:13 AS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB.SWAPON.DE@LAB.SWAPON.DE 14:37:13 Client sent patypes: encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp 14:37:13 Looking for PKINIT pa-data -- host/reliant.lab.swapon.de@LAB.SWAPON.DE 14:37:13 Looking for ENC-TS pa-data -- host/reliant.lab.swapon.de@LAB.SWAPON.DE 14:37:13 ENC-TS Pre-authentication succeeded -- host/reliant.lab.swapon.de@LAB.SWAPON.DE using aes256-cts-hmac-sha1-96 14:37:13 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc 14:37:13 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 14:37:13 AS-REQ authtime: 2009-04-27T14:37:13 starttime: unset endtime: 2009-04-28T00:37:13 renew till: unset 14:37:13 sending 670 bytes to IPv6:2001:6f8:12ec:11::88:fefe
Ticket Granting Server Request from slapd (fails): 14:37:13 TGS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for digest/LAB@LAB.SWAPON.DE [canonicalize] 14:37:13 Searching referral for LAB 14:37:13 Server not found in database: digest/LAB@LAB.SWAPON.DE: No such entry in the database 14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe 14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe 14:37:13 TGS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB@LAB.SWAPON.DE 14:37:13 Server not found in database: krbtgt/LAB@LAB.SWAPON.DE: No such entry in the database 14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe 14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe
It's clear that this TGS-REQ is failing: the realm "LAB" in the principal "krbtgt/LAB@LAB.SWAPON.DE" doesn't exist. Correct would be: "krbtgt/LAB.SWAPON.DE@LAB.SWAPON.DE".
At present I have no clue how to fix this. Good ideas would be appreciated.
Regards Friedemann