Broken auth, LDAP dbargs stopped working

Gergely Czuczy gergely.czuczy at
Wed May 13 10:02:38 EDT 2015


I have an installation of MIT Kerberos with an OpenLDAP backend, on CentOS6:

And starting of today, for some unknown reason, it started misbehaving. 
First was, one of the boxes refuses kerberos authentication, getting the 
following error message:
(('Unspecified GSS failure.  Minor code may provide more information', 
851968), ('Success', 100001))
A couple of times, I also got "Wrong principal in request" for the minor 
code, however at this very moment, I cannot reproduce that one.

This is a web application, which worked yesterday. Also, ssh with GSSAPI 
auth works all over the boxes, except for this one, it always falls back 
to PAM.

What's also strange is, I've used to store the principals of users and 
hosts in LDAP, in their respective entries, under 
ou=(users,hosts),dc=..., respectively. Now, whenever I do an addprinc 
with -x dn=$dn, the principal is getting added, but it's not showing up 
under the entity's LDAP entry.

Clock is in sync, the DNS entries back and forward are properly done.

I'm at a loss, I'm running out of ideas where to look for. Could someone 
please give me a couple of suggestions, where and what to look for? This 
stuff used to work, but for some unknown reason it stopped working. 
krb5kdc.log and kadmin.log are silent of any errors, as I've checked.

Thanks in advance,

More information about the Kerberos mailing list