--On Friday, January 17, 2020 1:12 PM -0500 Prentice Bisbal pbisbal@pppl.gov wrote:
Well, the error came from cyrus-sasl rather than OpenLDAP. This would indicate to me that the not authorized came from the KDC. Have you checked to ensure the keys in the keytab file haven't expired inside the KDC?
That's exactly what I suspected. We're using AD for our Kerberos Client, and one of our AD admins insists that it couldn't be expired credentials. I did use a utility called msktutil to make sure the kerberos tickets in /etc/krb5.keytab were up to date, but I'm still getting that error. Any ideas on how to prove/disprove what you suggest, so I can go back to my AD admins with more information?
Hi Prentice,
Unfortunately I have no experience using AD as a KDC. So I can't really offer any further debugging advice.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com