Hi,
Thanks for you input, but the kadmin princ wasn't the problem. The kadmin entry is correct.
Date: Fri, 18 Nov 2011 15:27:04 +0100 From: daff@pseudoterminal.org To: raffi.sahli@hotmail.com Subject: Re: OpenLDAP SASL Passthrough CC: openldap-technical@openldap.org
On 18/11/11 12:03, Raffael Sahli wrote:
I'm pretty sure the problem is not kerberos!
Hi,
I just had virtually the same problem with virtually the same error messages and symptoms on an authentication server based on MIT Kerberos, OpenLDAP and SASL. I was banging my head against the wall because everything was configured exactly right, identical to two other systems I set up recently that work just fine.
Keytab entries were correct, DNS resolution worked forwards and reverse, permissions and group memberships were correct as well, testsaslauth never complained, etc. There was no reason for SASL pass-through not to work.
Turns out the problem was DNS-related after all. When creating the realm, various internal principals are added, one of those is (or should be) "kadmin/auth01.example.com@REALM" (auth01.example.com being the FQDN of the Kerberos server). For some reason--probably a rogue entry in /etc/hosts--this principal was created as "kadmin/auth01@REALM", i.e. containing only the hostname, not the FQDN. Took me a whole week to figure that out.
You might want to check your Kerberos principal names and see if you might have ran into a similar problem.
HTH
Andreas