SASL authentication

Markus Moeller huaraz at
Mon Mar 23 19:25:44 EDT 2009

Can you get a network capture with wireshark on your 2003 server of all 
traffic from your client when you do the following

On the client:
kinit qxu at SESSWIN2003.COM
ldapsearch -Y GSSAPI -H 'ldap://' -b 
'dc=sesswin2003,dc=com' -s sub -LLL '(cn=qxu)' mail

Make sure that resolves to the correct ip or is 
in your hosts file.


"Xu, Qiang (FXSGSC)" <Qiang.Xu at> wrote in message 
news:mailman.142.1237787839.14058.kerberos at
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at]
>> Sent: Saturday, March 21, 2009 3:05 AM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Michael Ströder; kerberos at
>> Subject: Re: SASL authentication
>> You need to use the FQDN of the server, not the IP number.
>> GSSAPI/Kerberos use the FQDN to derive the principal name.
> As you suggested, I use the following expressions:
> ==========================================
> qxu at durian(pts/3):/etc[19]$ ldapsearch -Y GSSAPI -H 
> 'ldap://' -b 'dc=sesswin2003,dc=com' -s 
> sub -LLL 'cn=qxu' mail
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> ==========================================
> The domain name is "", the host name is "sesswin2003". Thus 
> the FQDN in the expression is "". But the 
> result seems worse.
> Did I miss anything?
> Thank you, Doug!
> Xu Qiang

More information about the Kerberos mailing list