wyllys.ingersoll at sun.com
Sun Feb 13 21:48:37 EST 2005
> I got a MIT kerberos server and a iPlanet Directory server setup.
> So far, I could get TGT and telnet into a telnet server and had a
> service ticket. so, i think as far kerberos part, it's working.
> Now, after successfully kinit from a client, when I tried ldapsearch
> -h test.com -b dc=example,dc=com -o mech=GSSAPI uid=testuser it'd ask
> for please enter your authorization name:
> then the error message: unable to initialize mechanism library
> [/usr/lib/gss/gl/mech_krb5.so] unable to initialize mechanism library
> [/usr/lib/gss/gl/mech_krb5.so] ldap_sasl_interactive_bind_s: Local
You don't mention which OS you are running, but it seems
that you must be running Solaris 8 or Solaris 9. I would guess
that you probably installed the SEAM packages for Solaris.
The likely problem is that Solaris 8 and 9 do not have support for the
same encryption types as the newer MIT Kerberos code. If the
server (MIT) is issuing keys that the client (Solaris) cannot understand,
the client library will not be able to do anything with the tickets.
Send output of "klist -ef" to show the enctypes used in your
client's ticket cache, if they show up as numbers (ex: "enctype 17 ...")
instead of names ("AES-128 ..."), then this is definitely the problem.
If your cache already has only DES keys, then there must be something
Solaris 10 has support for all of the enctypes that MIT supports.
More information about the Kerberos