On Mon, Apr 01, 2024 at 03:09:12PM +0200, Stefan Kania wrote: > I normally use Debian for OpenLDAP and Kerberos, but now I have to uses > Alamalinux 9. When I create a Ticket with kinit I'm getting: > --------- > u1-prod@ldapserver1 ~]$ kinit > Password for [email protected]: > [u1-prod@ldapserver1 ~]$ klist > Ticket cache: KCM:10001 > Default principal: [email protected] > --------- > > So the ticket cache is the KCM-daemon and not FILE: like in Debian. When I > die an ldapsearch or an ldapwhoami I'm getting > ----------- > [u1-prod@ldapserver1 ~]$ ldapwhoami > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001)) > ----------- > > All the ldap-commands are looking for the credential cache in FILE: and not > in KCM: > > I'm using OpenLDAP 2.6 from the repositories. > > Is there a way that the ldap-commands are using KCM:?
Hi Stefan, I assume libsasl2 is linked to heimdal, which doesn't (yet?) support KCM? And on Debian you might have been using heimdal as your libkrb5, so no KCM cache used. I think until then you need to switch to FILE based credential cache in your config or rebuild libsasl2 against MIT Kerberos to get access to it. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
