Kerberos - GSSAPI config problem: No such file or directory
Listbox
listbox at hymerfania.com
Thu Jan 17 18:51:36 EST 2008
Thanks so much guys!
THAT problem was an LDAP problem, not a Kerberos problem. In the latest
version of the Fedora slapd, it runs a script
"/etc/sysconfig/dirsrv" to get any environment variables. In that script I
found:
"KRB5_KTNAME=/var/kerberos/krb5kdc/fdirsrv.keytab ; export KRB5_KTNAME"
Unfortunately, I was trying to put
"export KRB5_KTNAME=/etc/dirsrv/slapd-trixter/fdirsrv.keytab"
in my slapd startup script, but that value was overwritten by the time
slapd was running.
For whatever reason, Fedora slapd 1.1 does not log the file-not-found error
for the keytab file. I moved my keytab to the filename exported in in
/etc/sysconfig/dirsrv, and that problem was solved.
Now I'm trying to figure out why
"Key version number for principal in key table is incorrect"
Even after I remove the keys for my principle from my keytab file, then
re-add them....
Thanks again!
C
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Douglas E. Engert
Sent: Thursday, January 17, 2008 2:43 PM
To: Charles Hymes
Cc: kerberos at mit.edu
Subject: Re: Kerberos - GSSAPI config problem: No such file or directory
Charles Hymes wrote:
> Hi folks,
> I'm having a real hard time debugging this, and the moment I think
> it's a Kerberos config problem, and not really LDAP.
> I'm trying to do a new ldap+MIT kerberos install , on a new Fedora 7
> box. I can kinit, but I can't get ldapsearch or ldapwhoami to work
> locally. I thought it was a read problem with the keytab files, but I
> tried setting KRB5_KTNAME to a keytab file I knew ware readable by
> slapd, and that did not help. I also checked permissions on my
certificates, and that seems OK too.
> ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
>
> I tried running strace on ldapwhoami, slapd and krb5kdc, but strace
> does not show which resource is not accessible, or even any attempts
> to open the keytabs or anything in /etc/openldap/cacerts. I'm
> surprised that the strace on krb5kdc never shows any responce to my ldap
queries.
>
> I tried making briefly making /etc/krb5.keytab world readable, it did
> not change the "No such file" error.
> The logs I check are /var/log/messages, slapd and krb5kdc.log. The
> logs do not show the ldap client error. I DID see some SELINUX errors
> for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed
> those. This did not stop the error. I guess I'll try turning SELINUX
> off, and see if that makes any difference.
>
> Any help would be greatly appreciated :)
>
> *******************************************
> *******************************************
Don't know what RedHat does, but if you think this is a client side error,
is it a problem of ldap not finding sasl or sasl2 libs?
SASL_PATH=.../lib/sasl2 and/or LD_LIBRARY_PATH=.../sasl/lib environment
variables.
And you have a ldap/trixter.hymesruzicka.org at HYMESRUZICKA.ORG defined in the
KDC and in the keytab?
I am not sure what they do in Redhat, but is there a /etc/default/slapd and
what is in it?
And your slapd.conf: security, allow, disalow, sasl-regexp statements will
allow sasl and gss?
Have you tried setting the loglevel on the slapd.conf?
>
> [installer at trixter ~]$ ldapwhoami -V -Y GSSAPI
> ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
> kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openld
> ap-2.3 .34/openldap-2.3.34/build-clients/clients/tools
> (LDAP library: OpenLDAP 20333)
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49) additional
> info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (No such file or
> directory)
>
> *******************************************
> *******************************************
>
> [installer at trixter ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: installer at HYMESRUZICKA.ORG
>
> Valid starting Expires Service principal
> 01/15/08 13:11:43 01/16/08 13:11:43
> krbtgt/HYMESRUZICKA.ORG at HYMESRUZICKA.ORG
> 01/15/08 13:12:35 01/16/08 13:11:43
> ldap/trixter.hymesruzicka.org at HYMESRUZICKA.ORG
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
>
> *******************************************
> *******************************************
>
> [root at trixter ~]# find / -iname "*keytab*" -ls
> 49547109 8 -rw-r--r-- 1 root root 712 Jan 15 13:00
> /etc/krb5.keytab
> 49610949 8 -rw-r--r-- 1 fdirsvr fdirsvr 712 Jan 15 13:00
> /etc/dirsrv/slapd-trixter/dirsrv.keytab
> 22746332 8 -rw------- 1 root root 454 Jan 13 10:26
> /var/kerberos/krb5kdc/kadm5.keytab
>
> *******************************************
> *******************************************
> [root at trixter ~]# cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = HYMESRUZICKA.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> HYMESRUZICKA.ORG = {
> kdc = kerberos.hymesruzicka.org:88
> admin_server = trixter.hymesruzicka.org:749
> default_domain = hymesruzicka.org
> dict_file = /usr/share/dict/words
> }
>
> [domain_realm]
> .hymesruzicka.org = HYMESRUZICKA.ORG
> hymesruzicka.org = HYMESRUZICKA.ORG
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> *******************************************
> *******************************************
>
> [installer at trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults #
> # This file should be world readable but not world writable.
> BASE dc=hymesruzicka,dc=org
> URI ldap://trixter.hymesruzicka.org:11562
> ldaps://trixter.hymesruzicka.org:636
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_REQCERT allow
> #SIZELIMIT 12
> TIMELIMIT 5
> #DEREF never
> *******************************************
> *******************************************
>
> BTW: Here's the command with debug on:
> [installer at trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI
> ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $
> kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openld
> ap-2.3 .34/openldap-2.3.34/build-clients/clients/tools
> (LDAP library: OpenLDAP 20333)
> ldap_create
> ldap_sasl_interactive_bind_s: user selected: GSSAPI
> ldap_int_sasl_bind: GSSAPI
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.0.3:11562
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_int_sasl_open: host=trixter.hymesruzicka.org SASL/GSSAPI
> authentication started ldap_sasl_bind_s ldap_sasl_bind
> ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it)
> ber:
> ber_scanf fmt ({i) ber:
> ber_flush: 589 bytes to sd 3
> ldap_result ld 0x8d82038 msgid 1
> ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList
> returns ld 0x8d82038 NULL wait4msg ld 0x8d82038 msgid 1 (infinite
> timeout) wait4msg continue ld 0x8d82038 msgid 1 all 1
> ** ld 0x8d82038 Connections:
> * host: trixter.hymesruzicka.org port: 11562 (default)
> refcnt: 2 status: Connected
> last used: Wed Jan 16 10:11:11 2008
>
> ** ld 0x8d82038 Outstanding Requests:
> * msgid 1, origid 1, status InProgress outstanding referrals 0, parent
> count 0
> ** ld 0x8d82038 Response Queue:
> Empty
> ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList
> returns ld 0x8d82038 NULL ldap_int_select
> read1msg: ld 0x8d82038 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 148 contents:
> read1msg: ld 0x8d82038 msgid 1 message type bind ber_scanf fmt ({eaa)
> ber:
> read1msg: ld 0x8d82038 0 new referrals
> read1msg: mark request completed, ld 0x8d82038 msgid 1 request done:
> ld 0x8d82038 msgid 1
> res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid
> 1, msgid 1) ldap_free_connection 0 1
> ldap_free_connection: refcnt 1
> ldap_parse_sasl_bind_result
> ber_scanf fmt ({eaa) ber:
> ldap_msgfree
> ldap_perror
> ldap_sasl_interactive_bind_s: Invalid credentials (49) additional
> info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (No such file or
> directory) ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list