Gssapi Error No Credentials
Contents |
I have documented here, not a step by step guide, but a list of the issues I gssapi error: unspecified gss failure. minor code may provide more information have faced configuring Kerberos to work with LDAP when things minor code may provide more information (server not found in kerberos database) don't go the way the HOWTO's say it should. Hopefully each issue will be accompanied
Ldap_sasl_interactive_bind_s: Local Error (-2)
by a solution. ktadd hangs When using kerberos with various server/service principals it is inevitable that you will need to add some of these
Gssapi Error Unspecified Gss Failure Server Not Found In Kerberos Database
to /etc/krb5.keytab or some other keytab file. At times I found that after logging in to kadmin.local and typing ktadd host/myserver.example.com that nothing happened. The command just hung. I solved this by: [root]# cp /etc/krb5.keytab /etc/krb5.keytab.old [root]# rm /etc/krb5.keytab [root]# mv /etc/krb5.keytab.old /etc/krb5.keytab [root]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM ldap_sasl_interactive_bind_s local error (-2) redhat with password. kadmin.local: ktadd host/myserver.example.com Entry for principal host/myserver.example.com with kvno 11, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/myserver.example.com with kvno 11, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/myserver.example.com with kvno 11, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/myserver.example.com with kvno 11, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. Maybe some file locking issue? ldap_sasl_interactive_bind_s: Unknown authentication method (-6) Doing an LDAP search with a SASL bind e.g. [lance]% ldapsearch -LLL -b 'dc=example,dc=com' '(givenname=lance)' cn ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found In this instance the cyrus-sasl-gssapi package was not installed. [root]# yum install cyrus-sasl-gssapi [lance]% ldapsearch -LLL -b 'dc=example,dc=com' '(givenname=lance)' cn SASL/GSSAPI authentication started SASL username: l.rathbone@EXAMPLE.COM SASL SSF: 56 SASL inst
enter a title. You can not post a blank message. Please type your message and try again. oddballChap Level 1 (0 points) Q: Yosemite Server Mail GSSAPI Error Since upgrading client machines to Yosemite, connecting to mac mini server running
Credentials Cache File '/tmp/krb5cc_0' Not Found
Yosemite (server v4), I'm seeing this error in the client main log file:22/10/2014 12:43:56.579 ldapsearch credentials cache file '/tmp/krb5cc_0' not found Mail[7452]: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))22/10/2014 12:43:56.579 Mail[7452]: Failed to start the SASL minor code may provide more information (internal credentials cache error) connectionSASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))Has anyone else seen this or have any thoughts as how to proceed? Thanks a lot for any pointers http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml in the right direction.(ps mail is being sent and received) Mac mini, OS X Yosemite (10.10) Posted on Oct 22, 2014 5:19 AM I have this question too Close Q: Yosemite Server Mail GSSAPI Error All replies Helpful answers by Alan Schinazi, Alan Schinazi Oct 28, 2014 11:13 PM in response to oddballChap Level 1 (10 points) Oct 28, 2014 11:13 PM in response to oddballChap I'm seeing the https://discussions.apple.com/thread/6619821?start=0&tstart=0 same thing. You'll find some information here.http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on -os-x-lion/One thing I've noticed is the users configured on the server v4, that came along in the upgrade to 10.10, behave like imported contacts. I can't reset their passwords, for example. So my next step is to create a new user on the server and check to see if the error under discussion occurs. If not, I guess we'll have to rebuild out OpenDirectory database, which sounds like a drag. Helpful (0) Reply options Link to this post by dboals, dboals Oct 31, 2014 9:46 AM in response to Alan Schinazi Level 1 (0 points) Oct 31, 2014 9:46 AM in response to Alan Schinazi Alan, One thing I have noticed, you can not change the users passwords for OD users through the Server v4 interface unless you use the filter at the top and select "Local Network Users" then you will be able to change passwords. This is an odd behavior that caused me to rebuild more than a couple of times. Also, once the "Local Network Users" is selected, you may need to unlock the lock a the bottom of that screen that appears with the diradmin password. Dan Helpful (0) Reply options Link to thi
Start here for a quick overview of the site Help Center Detailed answers to any questions you might http://serverfault.com/questions/279196/freebsd-openldap-sasl-and-gssapi have Meta Discuss the workings and policies of this site About http://www.openldap.org/lists/openldap-software/200403/msg00639.html Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; not found it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top FreeBSD: OpenLDAP, SASL, and GSSAPI up vote 2 down vote favorite 1 I've run into some problems getting OpenLDAP on FreeBSD (8.2-STABLE) to authenticate using Kerberos minor code may tickets. I hope I've just had a brain glitch, so please feel free to let me know that I've missed something obvious. Here's where things are: Kerberos works just fine. I can acquire credentials using kinit, and I can use these credentials for authentication (for example, for ssh or telnet login). OpenLDAP is installed and works with basic authentication. slapd is clearly linked against the SASL libraries; ldd .../slapd reports: libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800d07000) There exists /usr/local/lib/sasl2/slapd.conf with the following contents: mech_list: GSSAPI slapd reports that is supports GSSAPI authentication: $ ldapsearch -x -b '' -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI There exists /etc/krb5.keytab with keys for host/
Thu, 18 Mar 2004 08:42:41 +0000 Cc: openldap-software@OpenLDAP.org References: <40590160.20204@cshl.edu> User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.1) Gecko/20020827 Vsevolod (Simon) Ilyushchenko wrote: Hi, I am trying to get ldapseach to work over TLS. I tried to use TLS_REQCERT never in /etc/ldap.conf to circumvent the problem of self-signed certificate, but then I get this (ldapsearch -d 9 -Z): ber_scanf fmt ([v]) ber: ldap_msgfree ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ldap_int_sasl_bind: GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5 SASL/GSSAPI authentication started ldap_perror ldap_sasl_interactive_bind_s: Local error (82) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) It looks like it's trying to use Kerberos authentication, which is not available. Is there a way to force ldapsearch to use TLS authentication? Thanks, Simon P.S. I know that the right way to do it is to sign certificates properly, but I'd like to figure out what happens with TLS_REQCERT never. Use the -x option with ldapsearch - no SASL Use the -ZZ option to force TLS. This should all work with self-signed certs. Note the gotcha: ldapsearch (and other openldap *clients*) make use of /etc/openldap/ldap.conf by default. /etc/ldap.conf is used by the PADL libraries. Dave -- Dave Lewney Principal Systems Programmer, IT Services University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956 References: Problem with ldapsearch and TLS From: "Vsevolod (Simon) Ilyushchenko"