Questions on openldap and kerberos....
Roland C. Dowdeswell
elric at imrryr.org
Mon Jan 7 10:39:14 EST 2013
On Mon, Jan 07, 2013 at 10:23:57AM -0500, John Tobin wrote:
>
> As a rookie, I hadn't considered...this is an absolutely excellent
> suggestion. See below, it didn't change anything.
> I was running as root... Do I need to create a principal for the id 'root',
> or can I use the base id [in this case jctobin] as a ticket for root?
You can use the base id. In fact, normally one doesn't create a root
principal for various reasons.
> kerberos1:/etc/init.d # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jctobin at DARK1.NET
>
> Valid starting Expires Service principal
> 01/07/13 09:37:21 01/07/13 19:37:21 krbtgt/DARK1.NET at DARK1.NET
> renew until 01/07/13 09:37:21
> kerberos1:/etc/init.d # ldapsearch -h kerberos1.dark1.net -b
> 'dc=dark1,dc=net' '(uid=jtobin)'
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information (Clock
> skew too great)
In this example, you have tickets but you have received a different
errors ``Clock skew too great''. This means that your clocks are
not in sync. Kerberos uses the current time of day as a piece of
common knowledge between the client and the server to eliminate a
network round trip. And so for Kerberos to work, your various
computers need to have the same [approximate] time.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the Kerberos
mailing list