Hi folks,
My new Debian stretch slapd consumer configuration is suffering from a
Kerberos authentication problem that looks like a bug. It is
apparently unable to read the Kerberos keytab file and instead
authenticates to its provider as (for my realm)
ldap/[email protected]. The error I keep getting is:
slapd[1668]: GSSAPI Error: Unspecified GSS failure. \
Minor code may provide more information \
(Server ldap/[email protected] not found in Kerberos database)
The software I'm using is:
* Debian stretch
* MIT Kerberos 1.15-1
* slapd 2.4.44+dfsg-3
* libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3
The usual way to get slapd to use a Kerberos principal to authenticate
to a provider is by telling it where the Kerberos key table file is.
On Debian systems, slapd looks in a default location first
(/etc/krb5.keytab), but an alternate keytab can be set in
/etc/default/slapd with e.g.:
export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab
Just ensure that the openldap group can read the keytab file. This
works on Debian wheezy with slapd 2.4.31-2+deb7u2, but for some reason
it's not working at all on Debian stretch.
Other things I have checked are:
* /etc/hostname
* hostnamectl status
* /etc/hosts (contains only '127.0.0.1 localhost' and linklocal addresses)
* DNS forward and reverse lookups
So, is this a slapd problem, or maybe something to do with a
SASL/GSSAPI library, such as libsasl2-modules-gssapi-mit?
Thanks,
Jaap
