Questions on openldap and kerberos....

John Tobin jtobin at po-box.esu.edu
Mon Jan 7 10:23:57 EST 2013 

As a rookie, I hadn't considered...this is an absolutely excellent
suggestion. See below, it didn't change anything.
I was running as root... Do I need to create a principal for the id 'root',
or can I use the base id [in this case jctobin] as a ticket for root?

tob

kerberos1:/etc/init.d # kadmin.local
Authenticating as principal root/admin at DARK1.NET with password.
kadmin.local:  listprincs
K/M at DARK1.NET
host/holynight.dark1.net at DARK1.NET
host/kerberos1.dark1.net at DARK1.NET
jctobin at DARK1.NET
kadmin/admin at DARK1.NET
kadmin/changepw at DARK1.NET
kadmin/localhost at DARK1.NET
krbtgt/DARK1.NET at DARK1.NET
ldap/kerberos1.dark1.net at DARK1.NET
nibot/admin at DARK1.NET
nibot at DARK1.NET
kadmin.local:  exit
kerberos1:/etc/init.d # man kinit
kerberos1:/etc/init.d # kinit jctobin at DARK1.NET
Password for jctobin at DARK1.NET:
kerberos1:/etc/init.d # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jctobin at DARK1.NET

Valid starting     Expires            Service principal
01/07/13 09:37:21  01/07/13 19:37:21  krbtgt/DARK1.NET at DARK1.NET
        renew until 01/07/13 09:37:21
kerberos1:/etc/init.d # ldapsearch -h kerberos1.dark1.net -b
'dc=dark1,dc=net' '(uid=jtobin)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Clock
skew too great)
kerberos1:/etc/init.d #






On 1/5/13 1:55 AM, "Greg Hudson" <ghudson at MIT.EDU> wrote:

> On 01/04/2013 04:31 PM, John Tobin wrote:
>> kerberos1:~ # ldapsearch -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
>> '(uid=jtobin)' 
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>>         additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information
>> (Credentials cache file '/tmp/krb5cc_0' not found)
> 
> I feel like I might be missing something, but it looks like you don't
> have Kerberos credentials to authenticate with, in which case you need
> to kinit first.
>

More information about the Kerberos mailing list