Questions on openldap and kerberos....

John Tobin jtobin at po-box.esu.edu
Mon Jan 7 11:41:42 EST 2013


Very sorry,

You are absolutely correct, I read the first part [SASL(-1): generic
failure: GSSAPI error:] Which is identical to the failure before, and
assumed the same failure.... My mistake....

On the other hand the test put forward with the ldapsearch is running as a
client on the server machine..... It's just one machine, so how does that
work? How can I get different times when the client and server are on the
same machine? I would be assuming that the local clock is used for
both....did I miss something?

Sincerely,
tob


On 1/7/13 10:39 AM, "Roland C. Dowdeswell" <elric at imrryr.org> wrote:

> On Mon, Jan 07, 2013 at 10:23:57AM -0500, John Tobin wrote:
>> 
> 
>> As a rookie, I hadn't considered...this is an absolutely excellent
>> suggestion. See below, it didn't change anything.
>> I was running as root... Do I need to create a principal for the id 'root',
>> or can I use the base id [in this case jctobin] as a ticket for root?
> 
> You can use the base id.  In fact, normally one doesn't create a root
> principal for various reasons.
> 
>> kerberos1:/etc/init.d # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: jctobin at DARK1.NET
>> 
>> Valid starting     Expires            Service principal
>> 01/07/13 09:37:21  01/07/13 19:37:21  krbtgt/DARK1.NET at DARK1.NET
>>         renew until 01/07/13 09:37:21
>> kerberos1:/etc/init.d # ldapsearch -h kerberos1.dark1.net -b
>> 'dc=dark1,dc=net' '(uid=jtobin)'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>>         additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (Clock
>> skew too great)
> 
> In this example, you have tickets but you have received a different
> errors ``Clock skew too great''.  This means that your clocks are
> not in sync.  Kerberos uses the current time of day as a piece of
> common knowledge between the client and the server to eliminate a
> network round trip.  And so for Kerberos to work, your various
> computers need to have the same [approximate] time.
> 
> --
>     Roland Dowdeswell                      http://Imrryr.ORG/~elric/



More information about the Kerberos mailing list