FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-15-2012, 04:56 PM
Matt Wells
 
Default SASL and GSSAPI replication help - Error w/ Realm

I have a multi-master configuration of 389-directory server. I'm
attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
Note this replication is not with Windows AD. It's LDAP to LDAP

The error I get is -
[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1@] in keytab
[WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
for KDC in requested realm)
[15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_99' not found))
[15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
error)

In kerberos all principles are created and in the /etc/krb5.keytab the
following exist; additionally the permissions have been set all the
way to 777 to ensure a permissions issue is not in play.

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/server1@EXAMPLE.COM
2 2 host/server1@EXAMPLE.COM
3 2 host/server1@EXAMPLE.COM
4 2 host/server1@EXAMPLE.COM
5 2 host/server2@EXAMPLE.COM
6 2 host/server2@EXAMPLE.COM
7 2 host/server2@EXAMPLE.COM
8 2 host/server2@EXAMPLE.COM
9 3 ldap/server1@EXAMPLE.COM
10 3 ldap/server1@EXAMPLE.COM
11 3 ldap/server1@EXAMPLE.COM
12 3 ldap/server1@EXAMPLE.COM
13 3 ldap/server2@EXAMPLE.COM
14 3 ldap/server2@EXAMPLE.COM
15 3 ldap/server2@EXAMPLE.COM
16 3 ldap/server2@EXAMPLE.COM


My question is the following -
Shouldn't my first error from above read
"[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1@EXAMPLE.COM]"
It makes sense to me that I am missing my realm, without that I of
course couldn't get my tgt from the kdc. But where do I define that
realm?
I've looked in the
cn=mapping,cn=sasl,cn=config
but have not seen a realm to define. I've tested for fun changing
these attributes but to no avail.

nssaslmapbase dc=2,dc=3
mapregexstring (.*)@(.*).(.*)


Any help would be greatly appreciated!


Software Version -
RHEL 6.1
---
389-admin-1.1.25-1.el6.x86_64.rpm
389-admin-console-1.1.8-1.el6.noarch.rpm
389-adminutil-1.1.14-2.el6.x86_64.rpm
389-console-1.1.7-1.el6.noarch.rpm
389-ds-console-1.2.6-1.el6.noarch.rpm
389-dsgw-1.1.7-2.el6.x86_64.rpm
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-15-2012, 04:57 PM
Matt Wells
 
Default SASL and GSSAPI replication help - Error w/ Realm

I have a multi-master configuration of 389-directory server. I'm
attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
Note this replication is not with Windows AD. It's LDAP to LDAP

The error I get is -
[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1@] in keytab
[WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
for KDC in requested realm)
[15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_99' not found))
[15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
error)

In kerberos all principles are created and in the /etc/krb5.keytab the
following exist; additionally the permissions have been set all the
way to 777 to ensure a permissions issue is not in play.

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/server1@EXAMPLE.COM
2 2 host/server1@EXAMPLE.COM
3 2 host/server1@EXAMPLE.COM
4 2 host/server1@EXAMPLE.COM
5 2 host/server2@EXAMPLE.COM
6 2 host/server2@EXAMPLE.COM
7 2 host/server2@EXAMPLE.COM
8 2 host/server2@EXAMPLE.COM
9 3 ldap/server1@EXAMPLE.COM
10 3 ldap/server1@EXAMPLE.COM
11 3 ldap/server1@EXAMPLE.COM
12 3 ldap/server1@EXAMPLE.COM
13 3 ldap/server2@EXAMPLE.COM
14 3 ldap/server2@EXAMPLE.COM
15 3 ldap/server2@EXAMPLE.COM
16 3 ldap/server2@EXAMPLE.COM


My question is the following -
Shouldn't my first error from above read
"[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1@EXAMPLE.COM]"
It makes sense to me that I am missing my realm, without that I of
course couldn't get my tgt from the kdc. But where do I define that
realm?
I've looked in the
cn=mapping,cn=sasl,cn=config
but have not seen a realm to define. I've tested for fun changing
these attributes but to no avail.

nssaslmapbase dc=2,dc=3
mapregexstring (.*)@(.*).(.*)


Any help would be greatly appreciated!


Software Version -
RHEL 6.1
---
389-admin-1.1.25-1.el6.x86_64.rpm
389-admin-console-1.1.8-1.el6.noarch.rpm
389-adminutil-1.1.14-2.el6.x86_64.rpm
389-console-1.1.7-1.el6.noarch.rpm
389-ds-console-1.2.6-1.el6.noarch.rpm
389-dsgw-1.1.7-2.el6.x86_64.rpm
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-16-2012, 11:55 AM
Anthony Messina
 
Default SASL and GSSAPI replication help - Error w/ Realm

On 03/15/2012 12:56 PM, Matt Wells wrote:
> I have a multi-master configuration of 389-directory server. I'm
> attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
> Note this replication is not with Windows AD. It's LDAP to LDAP
>
> The error I get is -
> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)
> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_99' not found))
> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
>
> In kerberos all principles are created and in the /etc/krb5.keytab the
> following exist; additionally the permissions have been set all the
> way to 777 to ensure a permissions issue is not in play.
>
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 host/server1@EXAMPLE.COM
> 2 2 host/server1@EXAMPLE.COM
> 3 2 host/server1@EXAMPLE.COM
> 4 2 host/server1@EXAMPLE.COM
> 5 2 host/server2@EXAMPLE.COM
> 6 2 host/server2@EXAMPLE.COM
> 7 2 host/server2@EXAMPLE.COM
> 8 2 host/server2@EXAMPLE.COM
> 9 3 ldap/server1@EXAMPLE.COM
> 10 3 ldap/server1@EXAMPLE.COM
> 11 3 ldap/server1@EXAMPLE.COM
> 12 3 ldap/server1@EXAMPLE.COM
> 13 3 ldap/server2@EXAMPLE.COM
> 14 3 ldap/server2@EXAMPLE.COM
> 15 3 ldap/server2@EXAMPLE.COM
> 16 3 ldap/server2@EXAMPLE.COM
>
>
> My question is the following -
> Shouldn't my first error from above read
> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@EXAMPLE.COM]"
> It makes sense to me that I am missing my realm, without that I of
> course couldn't get my tgt from the kdc. But where do I define that
> realm?
> I've looked in the
> cn=mapping,cn=sasl,cn=config
> but have not seen a realm to define. I've tested for fun changing
> these attributes but to no avail.
>
> nssaslmapbase dc=2,dc=3
> mapregexstring (.*)@(.*).(.*)
>
>
> Any help would be greatly appreciated!
>
>
> Software Version -
> RHEL 6.1
> ---
> 389-admin-1.1.25-1.el6.x86_64.rpm
> 389-admin-console-1.1.8-1.el6.noarch.rpm
> 389-adminutil-1.1.14-2.el6.x86_64.rpm
> 389-console-1.1.7-1.el6.noarch.rpm
> 389-ds-console-1.2.6-1.el6.noarch.rpm
> 389-dsgw-1.1.7-2.el6.x86_64.rpm
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users


Do you have:

# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME

in you /etc/sysconfig/dirsrv? It sounds like your server isn't settup
up it's credential cache at startup.

--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-16-2012, 12:20 PM
Matt Wells
 
Default SASL and GSSAPI replication help - Error w/ Realm

Sorry, I forgot to mention that. Yes.
I used the ds.keytab and moved it to the krb5.keytab for testing.

2012/3/16 Anthony Messina <amessina@messinet.com>:
> On 03/15/2012 12:56 PM, Matt Wells wrote:
>> I have a multi-master configuration of 389-directory server. *I'm
>> attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
>> Note this replication is not with Windows AD. *It's LDAP to LDAP
>>
>> The error I get is -
>> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
>> credentials for principal [ldap/server1@] in keytab
>> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
>> for KDC in requested realm)
>> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
>> could not perform interactive bind for id [] mech [GSSAPI]: error -2
>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>> GSS failure. *Minor code may provide more information (Credentials
>> cache file '/tmp/krb5cc_99' not found))
>> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
>> error)
>>
>> In kerberos all principles are created and in the /etc/krb5.keytab the
>> following exist; additionally the permissions have been set all the
>> way to 777 to ensure a permissions issue is not in play.
>>
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> * *1 * *2 * * * * * *host/server1@EXAMPLE.COM
>> * *2 * *2 * * * * * *host/server1@EXAMPLE.COM
>> * *3 * *2 * * * * * *host/server1@EXAMPLE.COM
>> * *4 * *2 * * * * * *host/server1@EXAMPLE.COM
>> * *5 * *2 * * * * * *host/server2@EXAMPLE.COM
>> * *6 * *2 * * * * * *host/server2@EXAMPLE.COM
>> * *7 * *2 * * * * * *host/server2@EXAMPLE.COM
>> * *8 * *2 * * * * * *host/server2@EXAMPLE.COM
>> * *9 * *3 * * * * * *ldap/server1@EXAMPLE.COM
>> * 10 * *3 * * * * * *ldap/server1@EXAMPLE.COM
>> * 11 * *3 * * * * * *ldap/server1@EXAMPLE.COM
>> * 12 * *3 * * * * * *ldap/server1@EXAMPLE.COM
>> * 13 * *3 * * * * * *ldap/server2@EXAMPLE.COM
>> * 14 * *3 * * * * * *ldap/server2@EXAMPLE.COM
>> * 15 * *3 * * * * * *ldap/server2@EXAMPLE.COM
>> * 16 * *3 * * * * * *ldap/server2@EXAMPLE.COM
>>
>>
>> My question is the following -
>> Shouldn't my first error from above read
>> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
>> credentials for principal [ldap/server1@EXAMPLE.COM]"
>> It makes sense to me that I am missing my realm, without that I of
>> course couldn't get my tgt from the kdc. * *But where do I define that
>> realm?
>> I've looked in the
>> cn=mapping,cn=sasl,cn=config
>> but have not seen a realm to define. *I've tested for fun changing
>> these attributes but to no avail.
>>
>> nssaslmapbase dc=2,dc=3
>> mapregexstring (.*)@(.*).(.*)
>>
>>
>> Any help would be greatly appreciated!
>>
>>
>> Software Version -
>> RHEL 6.1
>> ---
>> 389-admin-1.1.25-1.el6.x86_64.rpm
>> 389-admin-console-1.1.8-1.el6.noarch.rpm
>> 389-adminutil-1.1.14-2.el6.x86_64.rpm
>> 389-console-1.1.7-1.el6.noarch.rpm
>> 389-ds-console-1.2.6-1.el6.noarch.rpm
>> 389-dsgw-1.1.7-2.el6.x86_64.rpm
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> Do you have:
>
> # In order to use SASL/GSSAPI (Kerberos) the directory
> # server needs to know where to find its keytab
> # file - uncomment the following line and set
> # the path and filename appropriately
> KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
>
> in you /etc/sysconfig/dirsrv? *It sounds like your server isn't settup
> up it's credential cache at startup.
>
> --
> Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
> 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users



--
- - Matt
Please note the new address and update your contact lists
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-16-2012, 12:28 PM
Anthony Messina
 
Default SASL and GSSAPI replication help - Error w/ Realm

On 03/16/2012 08:20 AM, Matt Wells wrote:
> Sorry, I forgot to mention that. Yes.
> I used the ds.keytab and moved it to the krb5.keytab for testing.

Does your uid 99 user have permissions to access krb5.keytab?

--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-16-2012, 03:24 PM
Matt Wells
 
Default SASL and GSSAPI replication help - Error w/ Realm

Yep, I changed it to even 777 but to no avail.

2012/3/16 Anthony Messina <amessina@messinet.com>:
> On 03/16/2012 08:20 AM, Matt Wells wrote:
>> Sorry, I forgot to mention that. Yes.
>> I used the ds.keytab and moved it to the krb5.keytab for testing.
>
> Does your uid 99 user have permissions to access krb5.keytab?
>
> --
> Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
> 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users



--
- - Matt
Please note the new address and update your contact lists
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-16-2012, 10:49 PM
Anthony Messina
 
Default SASL and GSSAPI replication help - Error w/ Realm

On 03/15/2012 12:56 PM, Matt Wells wrote:
> The error I get is -
> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)
> [15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_99' not found))
> [15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
>
> In kerberos all principles are created and in the /etc/krb5.keytab the
> following exist; additionally the permissions have been set all the
> way to 777 to ensure a permissions issue is not in play.
>
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 2 host/server1@EXAMPLE.COM
> 2 2 host/server1@EXAMPLE.COM
> 3 2 host/server1@EXAMPLE.COM
> 4 2 host/server1@EXAMPLE.COM
> 5 2 host/server2@EXAMPLE.COM
> 6 2 host/server2@EXAMPLE.COM
> 7 2 host/server2@EXAMPLE.COM
> 8 2 host/server2@EXAMPLE.COM
> 9 3 ldap/server1@EXAMPLE.COM
> 10 3 ldap/server1@EXAMPLE.COM
> 11 3 ldap/server1@EXAMPLE.COM
> 12 3 ldap/server1@EXAMPLE.COM
> 13 3 ldap/server2@EXAMPLE.COM
> 14 3 ldap/server2@EXAMPLE.COM
> 15 3 ldap/server2@EXAMPLE.COM
> 16 3 ldap/server2@EXAMPLE.COM
>
>
> My question is the following -
> Shouldn't my first error from above read
> "[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@EXAMPLE.COM]"
> It makes sense to me that I am missing my realm, without that I of
> course couldn't get my tgt from the kdc. But where do I define that
> realm?
> I've looked in the
> cn=mapping,cn=sasl,cn=config
> but have not seen a realm to define. I've tested for fun changing
> these attributes but to no avail.

Hmmm, I don't remember having to anything special here. Perhaps
"EXAMPLE.COM" is just listed here in the email, but above the log shows

> [15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
> credentials for principal [ldap/server1@] in keytab
> [WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
> for KDC in requested realm)

Your krb5.conf file would need to have maps to the KDC for EXAMPLE.COM
which actually work--they resolve to a real KDC. This is my krb5.conf
file on my ldap server, which my relevant realms/domains replaced by
example.com and EXAMPLE.COM:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
kdc = kerberos-1.example.com
admin_server = kerberos.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Perhaps, your ldap server is not able to resolve the address of the KDC
at the time of the server startup? Also, check that your /etc/hosts
contains the proper FQDN for your ldap server, listed before any
hostname aliases for that IP:

192.168.1.99 ldap.example.com ldap

--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org