Questions on openldap and kerberos....

Mon Jan 7 16:01:32 EST 2013

> Le Mon, 7 Jan 2013 13:04:54 -0500,
> John Tobin <jtobin at po-box.esu.edu> a écrit :
> 
>> The kdc, and this client [the ldapsearch] are both on the same
>> machine. I assume both of these processes get their clock reading
>> from a 'date' type function off of the [same] machine... How can one
>> skew from the other? It's the same clock....
>> 
>> tob

$$$$

Answers to a number of questions:
1>
Hm.  Is the LDAP server also the same machine?  If so, yes, I find that
confusing too.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

This is a test machine, where I can check everything out before I setup
production, which is to say .... Yes ldap, kerberos, and short term: openafs
are installed on this box.

2>
On 1/7/13 2:34 PM, "Jean-Christophe Gay" <jean-christophe.gay at dauphine.fr>
wrote:

> 
> After your ldapsearch command that fail, can you paste a klist result
> please ? And maybe some of your krb5kdc.log file may be interesting.

kerberos1:/etc # ldapsearch -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
'(uid=jtobin)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Clock
skew too great)
kerberos1:/etc # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jctobin at DARK1.NET

Valid starting     Expires            Service principal
01/07/13 09:37:21  01/07/13 19:37:21  krbtgt/DARK1.NET at DARK1.NET
        renew until 01/07/13 09:37:21
kerberos1:/etc # tail -50 /var/log/krb5/krb5kdc.log
Jan 04 16:17:56 kerberos1 krb5kdc[8884](debug): Got signal to request exit
Jan 04 16:17:56 kerberos1 krb5kdc[8884](debug): Got signal to request exit
Jan 04 16:17:56 kerberos1 krb5kdc[8884](info): closing down fd 11
Jan 04 16:17:56 kerberos1 krb5kdc[8884](info): closing down fd 11
...<snip>

Jan 04 16:17:56 kerberos1 krb5kdc[10063](info): listening on fd 11: udp
::.750 (pktinfo)
Jan 04 16:17:56 kerberos1 krb5kdc[10063](info): listening on fd 11: udp
::.750 (pktinfo)
Jan 04 16:17:56 kerberos1 krb5kdc[10063](info): set up 4 sockets
Jan 04 16:17:56 kerberos1 krb5kdc[10063](info): set up 4 sockets
Jan 04 16:17:56 kerberos1 krb5kdc[10064](info): commencing operation
Jan 04 16:17:56 kerberos1 krb5kdc[10064](info): commencing operation
Jan 07 09:37:21 kerberos1 krb5kdc[10064](info): AS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: ISSUE: authtime 1357569441, etypes {rep=18 tkt=18 ses=18},
jctobin at DARK1.NET for krbtgt/DARK1.NET at DARK1.NET
Jan 07 09:37:21 kerberos1 krb5kdc[10064](info): AS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: ISSUE: authtime 1357569441, etypes {rep=18 tkt=18 ses=18},
jctobin at DARK1.NET for krbtgt/DARK1.NET at DARK1.NET
Jan 07 10:11:37 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great
Jan 07 10:11:37 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great
Jan 07 10:11:38 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great
Jan 07 10:11:38 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great
Jan 07 11:42:48 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great
Jan 07 11:42:48 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great
Jan 07 11:42:48 kerberos1 krb5kdc[10064](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: PROCESS_TGS: authtime 0,  <unknown client> for <unknown
server>, Clock skew too great

Sincerely, tob     