I normally use Debian for OpenLDAP and Kerberos, but now I have to uses Alamalinux 9. When I create a Ticket with kinit I'm getting: --------- u1-prod@ldapserver1 ~]$ kinit Password for u1-prod@EXAMPLE.NET: [u1-prod@ldapserver1 ~]$ klist Ticket cache: KCM:10001 Default principal: u1-prod@EXAMPLE.NET ---------
So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I die an ldapsearch or an ldapwhoami I'm getting ----------- [u1-prod@ldapserver1 ~]$ ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001)) -----------
All the ldap-commands are looking for the credential cache in FILE: and not in KCM:
I'm using OpenLDAP 2.6 from the repositories.
Is there a way that the ldap-commands are using KCM:?
Am 01.04.24 um 15:09 schrieb Stefan Kania:
I normally use Debian for OpenLDAP and Kerberos, but now I have to uses Alamalinux 9. When I create a Ticket with kinit I'm getting:
u1-prod@ldapserver1 ~]$ kinit Password for u1-prod@EXAMPLE.NET: [u1-prod@ldapserver1 ~]$ klist Ticket cache: KCM:10001 Default principal: u1-prod@EXAMPLE.NET
So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I die an ldapsearch or an ldapwhoami I'm getting
[u1-prod@ldapserver1 ~]$ ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001))
All the ldap-commands are looking for the credential cache in FILE: and not in KCM:
I'm using OpenLDAP 2.6 from the repositories.
Is there a way that the ldap-commands are using KCM:?
Weird. For me, ldap tools works without any issue on alma 9 with KCM.
Per default, without any manual configuration. So I don't know how I can reproduce your issue.
But anyway: If you want back the old behavior with a file based ticket cache:
/etc/krb5.conf.d/kcm_default_ccache is your friend.
Best regards
Ulf
Hello Ulf,
thank you for your fast answer even on Easter Monday :-)
Am 01.04.24 um 16:48 schrieb Ulf Volmer:
/etc/krb5.conf.d/kcm_default_ccache is your friend.
That's what I changed to go back to FILE: but I can't get ldapsearch and ldapwhoami working with KCM: I did not changed anything in krb5.conf --------- includedir /etc/krb5.conf.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.NET
[realms] EXAMPLE.NET = { admin_server = kerberos1.example.net }
[domain_realm] .example.com = EXAMPLE.NET -------------
And my /etc/krb5.conf.d/kcm_default_ccache looks like: ------------- [libdefaults] default_ccache_name = FILE:/tmp/krb5cc_%{uid} -------------
So I'm back to FILE:
As soon as I change to KCM: it's not working anymore :-. That's why I was thinking that there is maybe some settings for the openldap-client commands
Stefan
Am 01.04.24 um 17:02 schrieb Stefan Kania:
As soon as I change to KCM: it's not working anymore :-. That's why I was thinking that there is maybe some settings for the openldap-client commands
I'm not aware of such an configuration setting.
Only idea is a wrong setting of $KRB5CCNAME, but I guess you should know if you have set this.
Best regards Ulf
On Mon, Apr 01, 2024 at 03:09:12PM +0200, Stefan Kania wrote:
I normally use Debian for OpenLDAP and Kerberos, but now I have to uses Alamalinux 9. When I create a Ticket with kinit I'm getting:
u1-prod@ldapserver1 ~]$ kinit Password for u1-prod@EXAMPLE.NET: [u1-prod@ldapserver1 ~]$ klist Ticket cache: KCM:10001 Default principal: u1-prod@EXAMPLE.NET
So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I die an ldapsearch or an ldapwhoami I'm getting
[u1-prod@ldapserver1 ~]$ ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001))
All the ldap-commands are looking for the credential cache in FILE: and not in KCM:
I'm using OpenLDAP 2.6 from the repositories.
Is there a way that the ldap-commands are using KCM:?
Hi Stefan, I assume libsasl2 is linked to heimdal, which doesn't (yet?) support KCM? And on Debian you might have been using heimdal as your libkrb5, so no KCM cache used.
I think until then you need to switch to FILE based credential cache in your config or rebuild libsasl2 against MIT Kerberos to get access to it.
Regards,
Hi Ondrej,
thank you for your answer. Am 02.04.24 um 10:47 schrieb Ondřej Kuzník:
I assume libsasl2 is linked to heimdal, which doesn't (yet?) support KCM? And on Debian you might have been using heimdal as your libkrb5, so no KCM cache used.
Then that's strange because I only installed redhat-pakages, and I always thought that redhat only supports MIT-kerberos. But with FILE: it's working ;-) and that's the main thing
Stefan
openldap-technical@openldap.org
-
Ondřej Kuzník -
Stefan Kania -
Ulf Volmer