/usr/lib/gss/gl/mech_krb5.so

coady coady at new.com
Mon Feb 14 15:26:56 EST 2005


Both the LDAP cient and Kerboros server are running Solaris 8.
Sun Directory server 5.2.

bash-2.03# klist -ef
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testadmin/admin at example.com

Valid starting     Expires            Service principal
02/14/05 09:30:57  02/14/05 19:30:57  krbtgt/example.com at example.com
         renew until 02/14/05 09:30:57, Flags: RI
         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple 
DES cbc mode with HMAC/sha1


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Thank you.




kerberos-request at mit.edu wrote:

> Send Kerberos mailing list submissions to
> 	kerberos at mit.edu
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help' to
> 	kerberos-request at mit.edu
> 
> You can reach the person managing the list at
> 	kerberos-owner at mit.edu
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Kerberos digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: /usr/lib/gss/gl/mech_krb5.so (Wyllys Ingersoll)
> 
> 
> ----------------------------------------------------------------------
> 
> Date: Sun, 13 Feb 2005 21:48:37 -0500
> From: Wyllys Ingersoll <wyllys.ingersoll at sun.com>
> To: coady <coady at new.com>
> Cc: kerberos at mit.edu
> Subject: Re: /usr/lib/gss/gl/mech_krb5.so
> Message-ID: <42101185.6050108 at sun.com>
> In-Reply-To: <9k5Pd.1315$UN1.521 at news.itd.umich.edu>
> References: <9k5Pd.1315$UN1.521 at news.itd.umich.edu>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 1
> 
> coady wrote:
> 
> 
>> Hi,
>>
>> I got a MIT kerberos server and a iPlanet Directory server setup.
>>
>> So far, I could get TGT and telnet into a telnet server and had a
>> service ticket. so, i think as far kerberos part, it's working.
>>
>> Now, after successfully kinit from a client, when I tried ldapsearch
>> -h test.com -b dc=example,dc=com -o mech=GSSAPI uid=testuser it'd ask
>> for please enter your authorization name:
> 
> 
>> then the error message: unable to initialize mechanism library
>> [/usr/lib/gss/gl/mech_krb5.so] unable to initialize mechanism library
>> [/usr/lib/gss/gl/mech_krb5.so] ldap_sasl_interactive_bind_s: Local
>> error
> 
> 
> 
> You don't mention which OS you are running, but it seems
> that you must be running Solaris 8 or Solaris 9.    I would guess
> that you probably installed the SEAM packages for Solaris.
> 
> The likely problem is that Solaris 8 and 9 do not have support for the
> same encryption types as the newer MIT Kerberos code.  If the
> server (MIT) is issuing keys that the client (Solaris) cannot understand,
> the client library will not be able to do anything with the tickets.
> 
> Send output of "klist -ef" to show the enctypes used in your
> client's ticket cache, if they show up as numbers (ex:  "enctype 17 ...")
> instead of names ("AES-128 ..."), then this is definitely the problem.
> If your cache already has only DES keys, then there must be something
> else wrong.
> 
> Solaris 10 has support for all of the enctypes that MIT supports.
> 
> -Wyllys
> 
> ------------------------------
> 
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> End of Kerberos Digest, Vol 26, Issue 17
> ****************************************



More information about the Kerberos mailing list