Questions on openldap and kerberos....

Roland C. Dowdeswell elric at imrryr.org
Mon Jan 7 10:39:14 EST 2013


On Mon, Jan 07, 2013 at 10:23:57AM -0500, John Tobin wrote:
>

> As a rookie, I hadn't considered...this is an absolutely excellent
> suggestion. See below, it didn't change anything.
> I was running as root... Do I need to create a principal for the id 'root',
> or can I use the base id [in this case jctobin] as a ticket for root?

You can use the base id.  In fact, normally one doesn't create a root
principal for various reasons.

> kerberos1:/etc/init.d # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jctobin at DARK1.NET
> 
> Valid starting     Expires            Service principal
> 01/07/13 09:37:21  01/07/13 19:37:21  krbtgt/DARK1.NET at DARK1.NET
>         renew until 01/07/13 09:37:21
> kerberos1:/etc/init.d # ldapsearch -h kerberos1.dark1.net -b
> 'dc=dark1,dc=net' '(uid=jtobin)'
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information (Clock
> skew too great)

In this example, you have tickets but you have received a different
errors ``Clock skew too great''.  This means that your clocks are
not in sync.  Kerberos uses the current time of day as a piece of
common knowledge between the client and the server to eliminate a
network round trip.  And so for Kerberos to work, your various
computers need to have the same [approximate] time.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


More information about the Kerberos mailing list