Kerberos - GSSAPI config problem: No such file or directory

Listbox listbox at hymerfania.com
Thu Jan 17 18:51:36 EST 2008 

Thanks so much guys!
THAT problem was an LDAP problem, not a Kerberos problem. In the latest
version of the Fedora slapd, it runs a script
"/etc/sysconfig/dirsrv" to get any environment variables. In that script I
found: 
"KRB5_KTNAME=/var/kerberos/krb5kdc/fdirsrv.keytab ; export KRB5_KTNAME"

     Unfortunately, I was trying to put
 
"export KRB5_KTNAME=/etc/dirsrv/slapd-trixter/fdirsrv.keytab" 

     in my slapd startup script, but that value was overwritten by the time
slapd was running.
For whatever reason,  Fedora slapd 1.1 does not log the file-not-found error
for the keytab file. I moved my keytab to the filename exported in in
/etc/sysconfig/dirsrv, and that problem was solved.

Now I'm trying to figure out why 
"Key version number for principal in key table is incorrect"
Even after I remove the keys for my principle from my keytab file, then
re-add them....


Thanks again!

C

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Douglas E. Engert
Sent: Thursday, January 17, 2008 2:43 PM
To: Charles Hymes
Cc: kerberos at mit.edu
Subject: Re: Kerberos - GSSAPI config problem: No such file or directory



Charles Hymes wrote:
> Hi folks,
> I'm having a real hard time debugging this, and the moment I think 
> it's a Kerberos config problem, and not really LDAP.
> I'm trying to do a new ldap+MIT kerberos install , on a new Fedora 7 
> box. I can kinit, but I can't get ldapsearch or ldapwhoami to work 
> locally. I thought it was a read problem with the keytab files, but I 
> tried setting KRB5_KTNAME to a keytab file I knew ware readable by 
> slapd, and that did not help. I also checked permissions on my
certificates, and that seems OK too.
> ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
> 
> I tried running strace on ldapwhoami, slapd and krb5kdc, but strace 
> does not show which resource is not accessible, or even any attempts 
> to open the keytabs or anything in /etc/openldap/cacerts. I'm 
> surprised that the strace on krb5kdc never shows any responce to my ldap
queries.
> 
> I tried making briefly making /etc/krb5.keytab world readable, it did 
> not change the "No such file" error.
> The logs I check are /var/log/messages, slapd and krb5kdc.log. The 
> logs do not show the ldap client error. I DID see some SELINUX errors 
> for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed 
> those. This did not stop the error. I guess I'll try turning SELINUX 
> off, and see if that makes any difference.
> 
> Any help would be greatly appreciated :)
> 
> *******************************************
> *******************************************

Don't know what RedHat does, but if you think this is a client side error,
is it a problem of ldap not finding sasl or sasl2 libs?
SASL_PATH=.../lib/sasl2 and/or LD_LIBRARY_PATH=.../sasl/lib environment
variables.


And you have a ldap/trixter.hymesruzicka.org at HYMESRUZICKA.ORG defined in the
KDC and in the keytab?

I am not sure what they do in Redhat, but is there a /etc/default/slapd and
what is in it?

And your slapd.conf:  security, allow, disalow, sasl-regexp statements will
allow sasl and gss?

Have you tried setting the loglevel on the slapd.conf?


> 
> [installer at trixter ~]$ ldapwhoami -V -Y GSSAPI
> ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
> kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openld
> ap-2.3 .34/openldap-2.3.34/build-clients/clients/tools
> (LDAP library: OpenLDAP 20333)
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49) additional 
> info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
> failure. Minor code may provide more information (No such file or 
> directory)
> 
> *******************************************
> *******************************************
> 
> [installer at trixter ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: installer at HYMESRUZICKA.ORG
> 
> Valid starting Expires Service principal
> 01/15/08 13:11:43 01/16/08 13:11:43 
> krbtgt/HYMESRUZICKA.ORG at HYMESRUZICKA.ORG
> 01/15/08 13:12:35 01/16/08 13:11:43
> ldap/trixter.hymesruzicka.org at HYMESRUZICKA.ORG
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> 
> *******************************************
> *******************************************
> 
> [root at trixter ~]# find / -iname "*keytab*" -ls
> 49547109    8 -rw-r--r--   1 root     root          712 Jan 15 13:00
> /etc/krb5.keytab
> 49610949    8 -rw-r--r--   1 fdirsvr  fdirsvr       712 Jan 15 13:00
> /etc/dirsrv/slapd-trixter/dirsrv.keytab
> 22746332    8 -rw-------   1 root     root          454 Jan 13 10:26
> /var/kerberos/krb5kdc/kadm5.keytab
> 
> *******************************************
> *******************************************
> [root at trixter ~]# cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = HYMESRUZICKA.ORG
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>   HYMESRUZICKA.ORG = {
>   kdc = kerberos.hymesruzicka.org:88
>   admin_server = trixter.hymesruzicka.org:749
>   default_domain = hymesruzicka.org
>   dict_file = /usr/share/dict/words
>  }
> 
> [domain_realm]
>  .hymesruzicka.org = HYMESRUZICKA.ORG
>  hymesruzicka.org = HYMESRUZICKA.ORG
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> 
> *******************************************
> *******************************************
> 
> [installer at trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # 
> # This file should be world readable but not world writable.
> BASE dc=hymesruzicka,dc=org
> URI ldap://trixter.hymesruzicka.org:11562
> ldaps://trixter.hymesruzicka.org:636
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_REQCERT allow
> #SIZELIMIT 12
> TIMELIMIT 5
> #DEREF never
> *******************************************
> *******************************************
> 
> BTW: Here's the command with debug on:
> [installer at trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI
> ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
> kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openld
> ap-2.3 .34/openldap-2.3.34/build-clients/clients/tools
> (LDAP library: OpenLDAP 20333)
> ldap_create
> ldap_sasl_interactive_bind_s: user selected: GSSAPI
> ldap_int_sasl_bind: GSSAPI
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.0.3:11562
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_int_sasl_open: host=trixter.hymesruzicka.org SASL/GSSAPI 
> authentication started ldap_sasl_bind_s ldap_sasl_bind 
> ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) 
> ber:
> ber_scanf fmt ({i) ber:
> ber_flush: 589 bytes to sd 3
> ldap_result ld 0x8d82038 msgid 1
> ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList 
> returns ld 0x8d82038 NULL wait4msg ld 0x8d82038 msgid 1 (infinite 
> timeout) wait4msg continue ld 0x8d82038 msgid 1 all 1
> ** ld 0x8d82038 Connections:
> * host: trixter.hymesruzicka.org port: 11562 (default)
> refcnt: 2 status: Connected
> last used: Wed Jan 16 10:11:11 2008
> 
> ** ld 0x8d82038 Outstanding Requests:
> * msgid 1, origid 1, status InProgress outstanding referrals 0, parent 
> count 0
> ** ld 0x8d82038 Response Queue:
> Empty
> ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList 
> returns ld 0x8d82038 NULL ldap_int_select
> read1msg: ld 0x8d82038 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 148 contents:
> read1msg: ld 0x8d82038 msgid 1 message type bind ber_scanf fmt ({eaa) 
> ber:
> read1msg: ld 0x8d82038 0 new referrals
> read1msg: mark request completed, ld 0x8d82038 msgid 1 request done: 
> ld 0x8d82038 msgid 1
> res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 
> 1, msgid 1) ldap_free_connection 0 1
> ldap_free_connection: refcnt 1
> ldap_parse_sasl_bind_result
> ber_scanf fmt ({eaa) ber:
> ldap_msgfree
> ldap_perror
> ldap_sasl_interactive_bind_s: Invalid credentials (49) additional 
> info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS 
> failure. Minor code may provide more information (No such file or 
> directory) ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list