Chastity Blackwell wrote:
On Thu, 2012-01-26 at 18:40 -0500, Howard Chu wrote:
Does kinit work for your chas@KRBTEST user? Judging from what you've pasted here, I don't think it should. Get your basic Kerberos installation working first. Take things one step at a time.
It does:
[chas@ldapsandbox log]$ ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 195) [chas@ldapsandbox log]$ kinit chas Password for chas@KRBTEST: [chas@ldapsandbox log]$ ldapwhoami SASL/GSSAPI authentication started SASL username: chas@KRBTEST SASL SSF: 56 SASL installing layers dn:uid=chas,ou=people,dc=test,dc=com Result: Success (0) [chas@ldapsandbox log]$
As I said, I think Kerberos and LDAP are all working on their own...it's the combination of the two doing the SASL passthrough that is confounding me.
Seems like it's working for the wrong reasons, then. Your krb5.conf:
[libdefaults] default_realm = KRBTEST dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] AKTEST = { kdc = ldapsandbox.test.com:88 admin_server = ldapsandbox.test.com:749 default_domain = test.com }
[domain_realm] .agkn.net = KRBTEST agkn.net = KRBTEST
You defined a kdc for an "AKTEST" realm; you don't actually have any kdc defined for the "KRBTEST" realm so kinit should be failing.