Hello everybody,
I'm running debian squeeze (testing) with openldap 2.4.23 and MIT kerberos 1.8.3 KDC.
I had functinal SASL/GSSAPI authentication configured, but recently it stopped working. I cannot be realy sure, but I suspect upgrade from openldap 2.4.22 is the cause.
In logs I see lots of this:
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
I added sasl-realm option but it did not helped. All other kerberos applications works without problem. Is there any (new) SASL option I missed? Or it's a bug in 2.4.23?
Thanks for any help.
Matej Zagiba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/12/2010, at 00:51, Matej Zagiba wrote:
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Do you mind showing us your slapd configuration, and also your sasl configuration?
William Brown
pgp.mit.edu
On 12/06/2010 01:22 AM, Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/12/2010, at 00:51, Matej Zagiba wrote:
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Do you mind showing us your slapd configuration, and also your sasl configuration?
in /etc/ldap/slapd.conf I have:
# setup SASL and authentification identities mapping sasl-host my.ldap.host sasl-realm MY.KRB.REALM
authz-regexp uid=([^,/])([^,/]*),cn=my.krb.realm,cn=gssapi,cn=auth ldap:///ou=$1,ou=people,dc=domain,dc=top??one?(&(uid=$1$2)(objectClass=posixAccount))
authz-regexp uid=([^,/])([^,/]*),cn=gssapi,cn=auth ldap:///ou=$1,ou=people,dc=gomain,dc=top??one?(&(uid=$1$2)(objectClass=posixAccount))
in /etc/krb5.conf I have:
[libdefaults] default_realm = MY.KRB.REALM kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
[realms] MY.KRB.REALM = { kdc = krb1.my.domain kdc = krb2.my.domain admin_server = krb1.my.domain database_name = /var/lib/krb5kdc/principal iprop_enable = true iprop_master_ulogsize = 2048 iprop_slave_poll = 30 iprop_port = 755 }
[domain_realm] .my.domain = MY.KRB.REALM my.domain = MY.KRB.REALM
[logging] kdc = FILE:/var/log/kdc5.log admin_server = FILE:/var/log/kadm5.log default = FILE:/var/log/krb5.log
I've generated keytab file with ldap/my.ldap.host principal and put it in /etc/ldap/ldap.keytab
Because I don't use {SASL} password scheme, there is no special SASL configuration. Usage is like this (client):
ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
server logs: Dec 6 13:01:16 ldaphost slapd[30828]: conn=13532 fd=45 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) Dec 6 13:01:16 ldaphost slapd[30828]: conn=13532 op=0 BIND dn="" method=163 Dec 6 13:01:16 ldaphost slapd[30828]: SASL [conn=13532] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm) Dec 6 13:01:16 ldaphost slapd[30828]: conn=13532 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm) Dec 6 13:01:16 ldaphost slapd[30828]: conn=13532 fd=45 closed (connection lost)
I tried google the problem, but it didn't help.
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQIcBAEBAgAGBQJM/CyyAAoJEHF16AnLoz6JvI8P/1JliyuejJntiwfsGAbanVay sj6UaXSd4M9V6X7zd3/MlUpAS7/Bm30iPCkfIgrjb63sLvCqDXX0ZeMSvKXHIpmX zkyZP32mU7OEm8WMCUM5rl/OkVw7e6DQ1ikRhxi3isusZzBGtd2LBQO4aHU2aoeQ ZI4RNqJYnUhcN4DWPk+NJfu6gSYPJjCfkzEnQUuwvdJiibe8pE6lBbTQG6W7GqHY k+2A+XYC5JEmk5pmV9iklviipvgxIN39/Gg/PefpgxxcYbDo4e09uSJVDXA2LjlD B5CIltk8kvD7ibc5SG/xJ7PhRaTFnFuT9oca7L7TLO8ZIPSBB+uILR80vA8guyaT 6Z7S4Q/UaQ1owBBfGCV/ovqmzMiRb0TEO9EcnEoj15KxIJCkIHa3FEZhp+pf3hfI 1KlkgeHhD2Ez4ewRCwi01mH8vWW8zLeWxlxV7PHzzpo1pttTcykZdUR6EmKY7Y5x lkMjn6vGJRrkiI55xA0Un3nqgmrHoHkwF3WuU6Bm0P4x/zZGdNlKKIu53t7VcOzb RtaGE+33dPMoXZ+asgo/JUaS+3UstmOJ3VITAyQKy8H43rK101i6UViFkZGLA3a0 9gESpUqLZ5dh1sQdM/shTgsZpBpOktmYU99rYqTQvnESHTWI2ZRyjco7eEdCNcRF 4pSO3jb4q+dQ1hoPKlpt =rfTQ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Do you mind showing us your slapd configuration, and also your sasl configuration?
My mistake, I was busy at work, and misunderstood. No need for SASL unless you use userPassword: {SASL}user@realm
I've generated keytab file with ldap/my.ldap.host principal and put it in /etc/ldap/ldap.keytab
Is your server configured to have the keytab in /etc/ldap/ldap.keytab? I use mine from /etc/krb5.keytab normally. See below for more
Because I don't use {SASL} password scheme, there is no special SASL configuration. Usage is like this (client):
ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
What command do you use to generate this error? Do you have a krb5 ticket granted? You can check with klist.
I tried google the problem, but it didn't help.
http://www.openldap.org/doc/admin24/appendix-common-errors.html
That lists the error you have, but it may not be the correct fix you need.
Look at section c.2.4 and c.1.21
Hope this helps you, and gets you on the right track.
William Brown
pgp.mit.edu
I have set KRB5_KTNAME in slapd startup script (/etc/default/slapd):
export KRB5_KTNAME=/etc/ldap/ldap.keytab
it's to separate system keytab from LDAP's. Anyway, that is a different error.
Matej
On 12/06/2010 02:30 PM, Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Do you mind showing us your slapd configuration, and also your sasl configuration?
My mistake, I was busy at work, and misunderstood. No need for SASL unless you use userPassword: {SASL}user@realm
I've generated keytab file with ldap/my.ldap.host principal and put it in /etc/ldap/ldap.keytab
Is your server configured to have the keytab in /etc/ldap/ldap.keytab? I use mine from /etc/krb5.keytab normally. See below for more
Because I don't use {SASL} password scheme, there is no special SASL configuration. Usage is like this (client):
ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
What command do you use to generate this error? Do you have a krb5 ticket granted? You can check with klist.
I tried google the problem, but it didn't help.
http://www.openldap.org/doc/admin24/appendix-common-errors.html
That lists the error you have, but it may not be the correct fix you need.
Look at section c.2.4 and c.1.21
Hope this helps you, and gets you on the right track.
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQIcBAEBAgAGBQJM/OVdAAoJEHF16AnLoz6JM9UQAJ4wdyS9Hzw0pT6dQDLzXHfu o/JQEx+o3ZbxTpjWxhGWW2ha69ztOoDWxK5x2M0HbfWWedrZ4Ov/vKwRlYW+eQQe vWwKyeanmt+a4Tl/+M69qWGOe9VT7bXR9FRgXcXED5czTssmkX9fdX0ShBDh+rnc Nb3Y1lDZGtqGZFQ+klE9eVpjkejtf9wdcQIQehJ+JmDwxt6n10sFwr0iNu2tszJe AHgft3hGoyde17qUH2r346/JhztCrseGaYAdbAW+TFXF/mz0JekW2zy52VfDSe3p 9wIAPL6P7urOige9Fb/U+GhFUmEyGcF1nlagnQrD8BN3hOTGGmGaFUxbbz0qN+ox OTt+A07kdkwGAOqfWG1onrc1Tn/4cE9sh4X/ZuomNKRXIoQXqET0KFMEC0edocvP MhWS6Dtl/8Xr1yv4SGS1rR9ACOK3JXWntQRV0JaxXtDTIbXhptYxc2lGSdqg0EBw Pl3W5f22c5xbZ9IGjRNCr8Q5DfpjoFxpfgHa3w9kotJ+s/4V79Wrgd+sMyLxfj2Y HccC9/3rGKRJVdJHSkiKhAI8FgqyKt0bmbsa3t3rOlp2NCnwjGPVBUPYxXzJpmQ3 15tMDgTSle1AjUCfVY8VOuB2+noUJRK+1HzfPgz3apdI5d8jQgKss+XUKDWXcejS ThTZv6+MqRdUbbJEyjR2 =i86w -----END PGP SIGNATURE-----
hi folks,
I apologize for my own stupidity, problem was in access rights to /etc/krb5.conf on ldap server.
Matej
On 12/06/2010 03:39 PM, Zagiba Matej wrote:
I have set KRB5_KTNAME in slapd startup script (/etc/default/slapd):
export KRB5_KTNAME=/etc/ldap/ldap.keytab
it's to separate system keytab from LDAP's. Anyway, that is a different error.
Matej
On 12/06/2010 02:30 PM, Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SASL [conn=1003] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Do you mind showing us your slapd configuration, and also your sasl configuration?
My mistake, I was busy at work, and misunderstood. No need for SASL unless you use userPassword: {SASL}user@realm
I've generated keytab file with ldap/my.ldap.host principal and put it in /etc/ldap/ldap.keytab
Is your server configured to have the keytab in /etc/ldap/ldap.keytab? I use mine from /etc/krb5.keytab normally. See below for more
Because I don't use {SASL} password scheme, there is no special SASL configuration. Usage is like this (client):
ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
What command do you use to generate this error? Do you have a krb5 ticket granted? You can check with klist.
I tried google the problem, but it didn't help.
http://www.openldap.org/doc/admin24/appendix-common-errors.html
That lists the error you have, but it may not be the correct fix you need.
Look at section c.2.4 and c.1.21
Hope this helps you, and gets you on the right track.
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQIcBAEBAgAGBQJM/OVdAAoJEHF16AnLoz6JM9UQAJ4wdyS9Hzw0pT6dQDLzXHfu o/JQEx+o3ZbxTpjWxhGWW2ha69ztOoDWxK5x2M0HbfWWedrZ4Ov/vKwRlYW+eQQe vWwKyeanmt+a4Tl/+M69qWGOe9VT7bXR9FRgXcXED5czTssmkX9fdX0ShBDh+rnc Nb3Y1lDZGtqGZFQ+klE9eVpjkejtf9wdcQIQehJ+JmDwxt6n10sFwr0iNu2tszJe AHgft3hGoyde17qUH2r346/JhztCrseGaYAdbAW+TFXF/mz0JekW2zy52VfDSe3p 9wIAPL6P7urOige9Fb/U+GhFUmEyGcF1nlagnQrD8BN3hOTGGmGaFUxbbz0qN+ox OTt+A07kdkwGAOqfWG1onrc1Tn/4cE9sh4X/ZuomNKRXIoQXqET0KFMEC0edocvP MhWS6Dtl/8Xr1yv4SGS1rR9ACOK3JXWntQRV0JaxXtDTIbXhptYxc2lGSdqg0EBw Pl3W5f22c5xbZ9IGjRNCr8Q5DfpjoFxpfgHa3w9kotJ+s/4V79Wrgd+sMyLxfj2Y HccC9/3rGKRJVdJHSkiKhAI8FgqyKt0bmbsa3t3rOlp2NCnwjGPVBUPYxXzJpmQ3 15tMDgTSle1AjUCfVY8VOuB2+noUJRK+1HzfPgz3apdI5d8jQgKss+XUKDWXcejS ThTZv6+MqRdUbbJEyjR2 =i86w -----END PGP SIGNATURE-----
openldap-technical@openldap.org
-
Indexer -
Matej Zagiba