SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at
Wed Mar 18 02:18:44 EDT 2009

> -----Original Message-----
> From: kerberos-bounces at 
> [mailto:kerberos-bounces at] On Behalf Of Michael Str?der
> Sent: Tuesday, March 17, 2009 8:20 PM
> To: kerberos at
> Subject: Re: SASL authentication
> First try to do a kinit with providing the password. After 
> that you could try using keytab files (on your LDAP client) 
> if needed in your setup.

The tutorial at said my SASL ldap bindingerror of "82 Local error" may be due to the lack of a service principle:
ldap_sasl_interactive_bind_s: Local error 
       ldap/hostname service principal not set up 
       or your Kerberos ticket is expired 
I am a little bit confused about it. Does it mean either the ticket is absent or the ticket has expired? Is "ldap/hostname service principal" and "kerberos ticket" here the same thing?

After kinit returns successfully, I can see there is a ticket in krb cache:
MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: qxu at SESSWIN2003.COM
Valid starting     Expires            Service principal
03/17/09 17:36:50  03/18/09 03:37:35  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 03/18/09 17:36:50
Isn't this ticket the service principal needed? You can see the third column's caption is "Service principal". Is it the same as or different from the "ldap/hostname service principal" mentioned in the above? 

Suppose they are different, and as you told me, the keytab file (which contains the service principal of ldap/hostname) is used by LDAP client. But where should the keytab file be generated? Should the keytab file be created in Kerberos server or LDAP server? Could you teach me how to create this keytab file, as detailed as possible? 

Xu Qiang

More information about the Kerberos mailing list