Error configuring Kerberos and OpenDS
Tiago Elvas
tiagoelvas at gmail.com
Tue Feb 21 05:23:04 EST 2012
Thanks for you answer Tom.
I added that principal and changed all principals and entries in the
keytabs to have the fqn as in hostname.domain.com.
Authenticating as principal kerberos-test/admin at MYDOMAIN.COM with password.
*kadmin.local: getprincs*
K/M at MYDOMAIN.COM
host/ldapserver.mydomain.com at MYDOMAIN.COM
kadmin/admin at MYDOMAIN.COM
kadmin/changepw at MYDOMAIN.COM
kadmin/ldapserver.mydomain.com at MYDOMAIN.COM
kerberos-test at MYDOMAIN.COM
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
ldap/ldapserver.mydomain.com at MYDOMAIN.COM
root/admin at MYDOMAIN.COM
I now have this error:
*# ldapsearch -h ldapserver.mydomain.com -p 389 -o mech=GSSAPI -o authid="
kerberos-test at MYDOMAIN.COM" -b "dc=example,dc=com" -s base "(objectClass=*)"
*
Password for user 'kerberos-test at MYDOMAIN.COM':
An error occurred while attempting to perform GSSAPI authentication to the
Directory Server: PrivilegedActionException(null:-2)
Result Code: 82 (Local Error)
*And in /var/log/krb5kdc.log*
Feb 20 20:01:09 ldapserver krb5kdc[15295](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: ISSUE: authtime 1329764469, etypes {rep=23 tkt=18
ses=23}, kerberos-test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
Feb 20 20:01:10 ldapserver krb5kdc[15295](info): TGS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: NO PREAUTH: authtime 0, kerberos-test at MYDOMAIN.COM for
ldap/ldapserver.mydomain.com at MYDOMAIN.COM, Generic error (see e-text)
Still no clue on this..
Thanks again,
Tiago
On Mon, Feb 20, 2012 at 7:50 PM, Tom Yu <tlyu at mit.edu> wrote:
> Tiago Elvas <tiagoelvas at gmail.com> writes:
>
> > *And This is the log in /var/log/krb5kdc.log*
> > Feb 20 19:26:13 ldapserver krb5kdc[15295](info): AS_REQ (5 etypes {3 1 23
> > 16 17}) 172.23.14.210: ISSUE: authtime 1329762373, etypes {rep=23 tkt=18
> > ses=23}, kerberos-test at MYDOMAIN.COM for krbtgt/
> > MYDOMAIN.COM<http://mydomain.com/>
> > @MYDOMAIN.COM <http://mydomain.com/>
> > Feb 20 19:26:13 ldapserver krb5kdc[15295](info): TGS_REQ (5 etypes {3 1
> 23
> > 16 17}) 172.23.14.210: UNKNOWN_SERVER: authtime 0, kerberos-test@
> > MYDOMAIN.COM <http://mydomain.com/> for ldap/
> > ldapserver.mydomain.com at MYDOMAIN.COM, Server not found in Kerberos
> database
>
> You do not appear to have created a service principal
> ldap/ldapserver.mydomain.com at MYDOMAIN.COM
>
More information about the Kerberos
mailing list