GSSAPI Probs was: [GSSAPI Error: No credentials were supplied ... unknown mech-code 0 for mech unknown]

Fri, 15 May 2020 06:45:28 -0700 

Am Thu, 14 May 2020 13:22:28 -0400
schrieb Braiam <[email protected]>:

Sorry for hijacking this thread.
> Hi,
> 
> I'm trying to get slapd to use heimdal kerberos to provide
> a single authentication backend for my network. I've followed
> the Administrator's Guide on SASL[1] and cyrus faq entry
> about connecting OpenLDAP with GSSAPI[2]. I'm stuck
> at the what I believe is a misunderstanding from my part.
[...]

Out of curiosity and facing similar problems, I have just setup a
playground mostly based on Raspian, bur additionaly OpenIndiana and
OpenSUSE.
The Environment:
Packages: 
opensuse: openldap2.2-2.4.50-52.1.x86_64
          cyrus-sasl-2.1.27-3.2.x86_64          

raspian:  slapd/stable,now 2.4.47
          libsasl2-modules-gssapi-heimdal/stable 2.1.27
          libsasl2-modules-gssapi-mit/stable,now 2.1.27

openindiana: slapd-2.4.48
             security/[email protected]
             kernel GSSAPI V2

slapd on opensuse
indiana:~$ /usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H
ldap://pink.fritz.box SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

raspian:~ $ ldapwhoami -Ygssapi -Hldap://pink.fritz.box
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

slapd on openindiana
pink➜ ᐅ  ldapwhoami -Ygssapi -H ldap://indiana.fritz.box
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:[email protected],cn=gssapi,cn=auth

slapd on Raspian
pink➜ ᐅ  ldapwhoami -Ygssapi -H ldap://raspi3.fritz.box
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

indiana:~$ /usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H
ldap://raspi3.fritz.box SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

KDC is MIT-KRB5

slapd configuration is identical on all hosts,
krb5.keytab is individually setup  for all hosts, each host has
appropriate keys.

If applicable an individual ldap.keytab  path is configured in
sasl2/slapd.conf
this ldap.keytabs are readable by slapd and owned by slapd user and
group.

 ldap/[email protected]
 ldap/[email protected]
 ldap/[email protected]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Reply via email to