Kerberos - GSSAPI config problem: No such file or directory

Charles Hymes chymes at hymerfania.com
Thu Jan 17 12:46:13 EST 2008 

Hi folks,
I'm having a real hard time debugging this, and the moment I think it's a
Kerberos config problem, and not really LDAP.
I'm trying to do a new ldap+MIT kerberos install , on a new Fedora 7 box. I
can kinit, but I can't get ldapsearch or ldapwhoami to work locally. I
thought it was a read problem with the keytab files, but I tried setting
KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not
help. I also checked permissions on my certificates, and that seems OK too.
ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.

I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not
show which resource is not accessible, or even any attempts to open the
keytabs or anything in /etc/openldap/cacerts. I'm surprised that the strace
on krb5kdc never shows any responce to my ldap queries.

I tried making briefly making /etc/krb5.keytab world readable, it did not
change the "No such file" error.
The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do
not show the ldap client error. I DID see some SELINUX errors for
krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did
not stop the error. I guess I'll try turning SELINUX off, and see if that
makes any difference.

Any help would be greatly appreciated :)

*******************************************
*******************************************

[installer at trixter ~]$ ldapwhoami -V -Y GSSAPI
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3
.34/openldap-2.3.34/build-clients/clients/tools
(LDAP library: OpenLDAP 20333)
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (No such file or directory)

*******************************************
*******************************************

[installer at trixter ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: installer at HYMESRUZICKA.ORG

Valid starting Expires Service principal
01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG at HYMESRUZICKA.ORG
01/15/08 13:12:35 01/16/08 13:11:43
ldap/trixter.hymesruzicka.org at HYMESRUZICKA.ORG


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

*******************************************
*******************************************

[root at trixter ~]# find / -iname "*keytab*" -ls
49547109    8 -rw-r--r--   1 root     root          712 Jan 15 13:00
/etc/krb5.keytab
49610949    8 -rw-r--r--   1 fdirsvr  fdirsvr       712 Jan 15 13:00
/etc/dirsrv/slapd-trixter/dirsrv.keytab
22746332    8 -rw-------   1 root     root          454 Jan 13 10:26
/var/kerberos/krb5kdc/kadm5.keytab

*******************************************
*******************************************
[root at trixter ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HYMESRUZICKA.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  HYMESRUZICKA.ORG = {
  kdc = kerberos.hymesruzicka.org:88
  admin_server = trixter.hymesruzicka.org:749
  default_domain = hymesruzicka.org
  dict_file = /usr/share/dict/words
 }

[domain_realm]
 .hymesruzicka.org = HYMESRUZICKA.ORG
 hymesruzicka.org = HYMESRUZICKA.ORG

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


*******************************************
*******************************************

[installer at trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # #
This file should be world readable but not world writable.
BASE dc=hymesruzicka,dc=org
URI ldap://trixter.hymesruzicka.org:11562
ldaps://trixter.hymesruzicka.org:636
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
#SIZELIMIT 12
TIMELIMIT 5
#DEREF never
*******************************************
*******************************************

BTW: Here's the command with debug on:
[installer at trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3
.34/openldap-2.3.34/build-clients/clients/tools
(LDAP library: OpenLDAP 20333)
ldap_create
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.3:11562
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=trixter.hymesruzicka.org
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 589 bytes to sd 3
ldap_result ld 0x8d82038 msgid 1
ldap_chkResponseList ld 0x8d82038 msgid 1 all 1
ldap_chkResponseList returns ld 0x8d82038 NULL
wait4msg ld 0x8d82038 msgid 1 (infinite timeout)
wait4msg continue ld 0x8d82038 msgid 1 all 1
** ld 0x8d82038 Connections:
* host: trixter.hymesruzicka.org port: 11562 (default)
refcnt: 2 status: Connected
last used: Wed Jan 16 10:11:11 2008

** ld 0x8d82038 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8d82038 Response Queue:
Empty
ldap_chkResponseList ld 0x8d82038 msgid 1 all 1
ldap_chkResponseList returns ld 0x8d82038 NULL
ldap_int_select
read1msg: ld 0x8d82038 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
read1msg: ld 0x8d82038 msgid 1 message type bind
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8d82038 0 new referrals
read1msg: mark request completed, ld 0x8d82038 msgid 1
request done: ld 0x8d82038 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eaa) ber:
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (No such file or directory)

More information about the Kerberos mailing list