I have a multi-master configuration of 389-directory server. I'm
attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
Note this replication is not with Windows AD. It's LDAP to LDAP
The error I get is -
[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1@] in keytab
[WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
for KDC in requested realm)
[15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_99' not found))
[15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
error)
In kerberos all principles are created and in the /etc/krb5.keytab the
following exist; additionally the permissions have been set all the
way to 777 to ensure a permissions issue is not in play.
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/server1(a)EXAMPLE.COM
2 2 host/server1(a)EXAMPLE.COM
3 2 host/server1(a)EXAMPLE.COM
4 2 host/server1(a)EXAMPLE.COM
5 2 host/server2(a)EXAMPLE.COM
6 2 host/server2(a)EXAMPLE.COM
7 2 host/server2(a)EXAMPLE.COM
8 2 host/server2(a)EXAMPLE.COM
9 3 ldap/server1(a)EXAMPLE.COM
10 3 ldap/server1(a)EXAMPLE.COM
11 3 ldap/server1(a)EXAMPLE.COM
12 3 ldap/server1(a)EXAMPLE.COM
13 3 ldap/server2(a)EXAMPLE.COM
14 3 ldap/server2(a)EXAMPLE.COM
15 3 ldap/server2(a)EXAMPLE.COM
16 3 ldap/server2(a)EXAMPLE.COM
My question is the following -
Shouldn't my first error from above read
"[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1(a)EXAMPLE.COM]"
It makes sense to me that I am missing my realm, without that I of
course couldn't get my tgt from the kdc. But where do I define that
realm?
I've looked in the
cn=mapping,cn=sasl,cn=config
but have not seen a realm to define. I've tested for fun changing
these attributes but to no avail.
nssaslmapbase dc=\2,dc=\3
mapregexstring \(.*\)(a)\(.*\)\.\(.*\)
Any help would be greatly appreciated!
Software Version -
RHEL 6.1
---
389-admin-1.1.25-1.el6.x86_64.rpm
389-admin-console-1.1.8-1.el6.noarch.rpm
389-adminutil-1.1.14-2.el6.x86_64.rpm
389-console-1.1.7-1.el6.noarch.rpm
389-ds-console-1.2.6-1.el6.noarch.rpm
389-dsgw-1.1.7-2.el6.x86_64.rpm