SASL added principles to Kerberos cache but returned error.
sam
samwun at hgcbroadband.com
Thu Jun 3 10:15:59 EDT 2004
Hi,
I just tested SASL 2.1.18, change the host and service name to be the
same name during the testing of the sample client and server, it
actually added the new principles to the kerberos cache (running Heimdal
Kerberos 5, the latest version as I downloaded today).
The klist shown the following new principles had been added to the
kerberos cache:
root at fbsd [7:26pm] [...cyrus-sasl-2.1.18/sample]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: sam at ROCK.COM
Issued Expires Principal Jun 3
17:17:53 Jun 3 23:57:53 krbtgt/ROCK.COM at ROCK.COM Jun 3 17:18:53
Jun 3 23:57:53 host/fbsd.rock.com at ROCK.COM
Jun 3 18:46:25 Jun 3 23:57:53 root/fbsd.rock.com at ROCK.COM
Jun 3 19:15:24 Jun 3 23:57:53 sam/fbsd.rock.com at ROCK.COM
The last three Principals were added during the test of sample client
and server in Cyrul-sasl 2.1.18.
But but the test still returned error such as:
lt-sample-client: SASL Other: GSSAPI Error: A token was invalid
(Unknown error: 0)
lt-sample-client: Performing SASL negotiation: generic failure
What should I do to fix this problem? I m afraid this will bring in
other problem when I further configure OpenLdap.
Thanks
sam
The Shell wrote:
> Hi,
>
> I finally got GSSAPI compiled with SASL, but error occured when
testing the sample client and server.
> The klist command of Heimdal Kerberos 5 shown the following priciples:
> root at fbsd [5:13pm] [...cyrus-sasl-2.1.18/sample]# klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: sam at ROCK.COM
> Issued Expires Principal Jun 3
17:17:53 Jun 3 23:57:53 krbtgt/ROCK.COM at ROCK.COM Jun 3 17:18:53
Jun 3 23:57:53 host/fbsd.rock.com at ROCK.COM
> root at fbsd [5:31pm] [...cyrus-sasl-2.1.18/sample]#
>
> Message from the sample server::
> ./sample-server -s host -p ../plugins/.libs
> .......
> got 'GSSAPI'
> Sending response...
> S:
YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREAEQM3hY7ovvFlIeYJwJOZzxv+NwWaQnhoHi6007SbsVDMiJfeHZpYU/PHelUTE6CwS46H8N10ObrvAAwKDzXXb2nIh0=
> Waiting for client reply...
> ^C
> root at fbsd [5:22pm] [...cyrus-sasl-2.1.18/sample]#
>
> Message from sample client:
> ./sample-client -s host -n fbsd.rock.com -u root -p ../plugins/.libs
> .....
> C:
> Waiting for server reply...
> S:
YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREAEQM3hY7ovvFlIeYJwJOZzxv+NwWaQnhoHi6007SbsVDMiJfeHZpYU/PHelUTE6CwS46H8N10ObrvAAwKDzXXb2nIh0=
> recieved 110 byte message
> lt-sample-client: SASL Other: GSSAPI Error: A token was invalid
(Unknown error: 0)
> lt-sample-client: Performing SASL negotiation: generic failure
> root at fbsd [5:21pm] [...cyrus-sasl-2.1.18/sample]#
>
> I m using the latest version of Cyrus-sasl, Heimdal Kerberos in
FreeBSD 5.2.1
> thanks
> sam
>
>
>
> eBSD4.9, the slave is openldap-2.1.22 on RH-7.3.
>
> So, it looks like the master is sending ldifs via slurpd to the
slave, and the slave is refusing to make the modifications, possibly due
to a hardcoded schema.
>
>
> The slurpd reject file looks like this:
>
> ERROR: entryCSN: no user modification allowed
> replica: ldap:0
> time: 1086269077.0
> dn: uid=myuser,ou=radius,dc=mydomain,dc=com
> changetype: modify
> replace: userPassword
> userPassword:: ********
> -
> replace: entryCSN
> entryCSN: 2004060313:24:37Z#0x0001#0#0000
> -
> replace: modifiersName
> modifiersName: uid=myadmin,dc=mydomain,dc=com
> -
> replace: modifyTimestamp
> modifyTimestamp: 20040603132437Z
>
>
> slurpd shows:
>
> Initializing session to ldap:0
> bind to ldap:0 as uid=myadmin,dc=mydomain,dc=com (simple)
> request 1 done
> replica ldap:0 - modify dn "uid=myuser,ou=radius,dc=mydomain,dc=com"
> request 2 done
> Error: ldap_modify_s failed modifying "entryCSN: no user modification
allowed": uid=myuser,ou=radius,dc=domain,dc=com
> Error: ldap operation failed, data written to
"/var/db/openldap-slurp/replica/ldap:0.rej"
>
>
>
> Have I missed something? Is it obvious what's wrong?
>
> Thanks,
>
> Gavin
>
>
More information about the Kerberos
mailing list