[32216] in Kerberos
Aw: Re: kerberized OpenLDAP
daemon@ATHENA.MIT.EDU (Wolf-Agathon Schaly)
Wed Mar 31 12:23:30 2010
Message-ID: <24862902.1270015129083.JavaMail.ngmail@webmail11.arcor-online.net>
Date: Wed, 31 Mar 2010 07:58:49 +0200 (CEST)
From: Wolf-Agathon Schaly <schaly_wolf-agathon@arcor.de>
To: guillaume.rousse@inria.fr, openldap-software@openldap.org,
kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thank you Guillaume for your helpful answer
What I've done on the LDAP server
I've generated a -randkey ldap/declips.privat.net@PRIVAT.NET - LDAP service key. Modified the relevant ldap startup file, providing the path where LDAP will find it's keytab file and restarted the entire host - just to make sure that no old TCP connection will block the TCP port 389 (LDAP)
Checked the krb5kdc.log while user calls kinit - YES - the initial communication is fine, user gets it's TGT
When I do the ldapsearch -x on the server as expected all is fine (LDAP not yet involved)
When I do the ldapsearch -Y GSSAPI (on the server) - YES all is fine. But something is weird.
When I've checked my klist I'll get in return
klist
Valid starting Expires Service principal
03/29/10 13:07:54 03/30/10 14:07:54 krbtgt/PRIVAT.NET@PRIVAT.NET
renew until 04/05/10 13:07:54
03/29/10 13:08:04 03/30/10 14:07:54 ldap/localhost@
renew until 04/05/10 13:07:54
03/29/10 13:08:04 03/30/10 14:07:54 ldap/localhost@PRIVAT.NET
renew until 04/05/10 13:07:54
Hmmm - what I did next, I changed the keytab.
Removed the localhost stuff and added the ldap/declips.privat.net@PRIVAT.NET principal (unfortunately only)
What I'm going to do next - I'll generate a keytab file including the ldap/localhost and ldap/declips.privat.net and will try out.
I'll keep you updated.
cheers
Wolf-Agathon
----- Original Nachricht ----
Von: Guillaume Rousse <Guillaume.Rousse@inria.fr>
An: openldap-software@openldap.org, kerberos@mit.edu
Datum: 30.03.2010 13:15
Betreff: Re: kerberized OpenLDAP
> Le 29/03/2010 10:26, Wolf-Agathon Schaly a écrit :
> > If I leave the LDAP server listening on the TCP address of localhost
> (127.0.0.1) declips is cool.
> > If I change the entry in /etc/openldap/ldap.conf from
> > URI=ldap://127.0.0.1/
> > to
> > URI=ldap://10.1.1.1/
> > I'm facing the same issue (gss_accept_sec_context) as on levante.
> >
> >
> > Is there somebody out there who can lead me to a solution.
> It seems like a name canonicalisation error for me, as you have a
> multihomed setup, and result varies with the IP adress you're using.
>
> You have to ensure the principal used in LDAP server keytab (its SPN)
> matches both the ones used by client when they ask a service ticket (DNS
> hostname for the IP adress used in their /etc/openldap/ldap.conf files),
> and the one used by the server itself (by default, the one returned by
> gethostname(), otherwise, the one specified with sasl_hostname directive
> in its configuration file).
>
> You may also check in the KDC logs what are the principal requested by
> clients.
> --
> BOFH excuse #11:
>
> magnetic interference from money/credit cards
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
