Hi,

Thanks for you input, but the kadmin princ wasn't the problem. The kadmin entry is correct.


> Date: Fri, 18 Nov 2011 15:27:04 +0100
> From: daff@pseudoterminal.org
> To: raffi.sahli@hotmail.com
> Subject: Re: OpenLDAP SASL Passthrough
> CC: openldap-technical@openldap.org
>
> On 18/11/11 12:03, Raffael Sahli wrote:
> > I'm pretty sure the problem is not kerberos!
>
> Hi,
>
> I just had virtually the same problem with virtually the same error
> messages and symptoms on an authentication server based on MIT Kerberos,
> OpenLDAP and SASL. I was banging my head against the wall because
> everything was configured exactly right, identical to two other systems
> I set up recently that work just fine.
>
> Keytab entries were correct, DNS resolution worked forwards and reverse,
> permissions and group memberships were correct as well, testsaslauth
> never complained, etc. There was no reason for SASL pass-through not to
> work.
>
> Turns out the problem was DNS-related after all. When creating the
> realm, various internal principals are added, one of those is (or should
> be) "kadmin/auth01.example.com@REALM" (auth01.example.com being the FQDN
> of the Kerberos server). For some reason--probably a rogue entry in
> /etc/hosts--this principal was created as "kadmin/auth01@REALM", i.e.
> containing only the hostname, not the FQDN. Took me a whole week to
> figure that out.


> You might want to check your Kerberos principal names and see if you
> might have ran into a similar problem.
>
> HTH
>
> Andreas
>