Sorry, I forgot to mention that. Yes.
I used the ds.keytab and moved it to the krb5.keytab for testing.
2012/3/16 Anthony Messina <amessina(a)messinet.com>:
On 03/15/2012 12:56 PM, Matt Wells wrote:
> I have a multi-master configuration of 389-directory server. I'm
> attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
> Note this replication is not with Windows AD. It's LDAP to LDAP
>
> The error I get is -
> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)
> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_99' not found))
> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
>
> In kerberos all principles are created and in the /etc/krb5.keytab the
> following exist; additionally the permissions have been set all the
> way to 777 to ensure a permissions issue is not in play.
>
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 host/server1(a)EXAMPLE.COM
> 2 2 host/server1(a)EXAMPLE.COM
> 3 2 host/server1(a)EXAMPLE.COM
> 4 2 host/server1(a)EXAMPLE.COM
> 5 2 host/server2(a)EXAMPLE.COM
> 6 2 host/server2(a)EXAMPLE.COM
> 7 2 host/server2(a)EXAMPLE.COM
> 8 2 host/server2(a)EXAMPLE.COM
> 9 3 ldap/server1(a)EXAMPLE.COM
> 10 3 ldap/server1(a)EXAMPLE.COM
> 11 3 ldap/server1(a)EXAMPLE.COM
> 12 3 ldap/server1(a)EXAMPLE.COM
> 13 3 ldap/server2(a)EXAMPLE.COM
> 14 3 ldap/server2(a)EXAMPLE.COM
> 15 3 ldap/server2(a)EXAMPLE.COM
> 16 3 ldap/server2(a)EXAMPLE.COM
>
>
> My question is the following -
> Shouldn't my first error from above read
> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1(a)EXAMPLE.COM]"
> It makes sense to me that I am missing my realm, without that I of
> course couldn't get my tgt from the kdc. But where do I define that
> realm?
> I've looked in the
> cn=mapping,cn=sasl,cn=config
> but have not seen a realm to define. I've tested for fun changing
> these attributes but to no avail.
>
> nssaslmapbase dc=\2,dc=\3
> mapregexstring \(.*\)(a)\(.*\)\.\(.*\)
>
>
> Any help would be greatly appreciated!
>
>
> Software Version -
> RHEL 6.1
> ---
> 389-admin-1.1.25-1.el6.x86_64.rpm
> 389-admin-console-1.1.8-1.el6.noarch.rpm
> 389-adminutil-1.1.14-2.el6.x86_64.rpm
> 389-console-1.1.7-1.el6.noarch.rpm
> 389-ds-console-1.2.6-1.el6.noarch.rpm
> 389-dsgw-1.1.7-2.el6.x86_64.rpm
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
Do you have:
# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
in you /etc/sysconfig/dirsrv? It sounds like your server isn't settup
up it's credential cache at startup.
--
Anthony -
http://messinet.com -
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users