Reputation: 69
OpenLDAP SASL/GSSAPI: Invalid credentials (49) SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
Trying to configure my OpenLDAP to use SASL/GSSAPI (kerberos) authentication. My KDC server is up and running and I am able to create all of my principals and SPNs, and can kinit just fine.
But when trying
ldapsearch -LLL -Y GSSAPI -H ldap://ldap -s "base" -b "dc=example,dc=com"
It fails with:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
OpenLDAP is using the default keytab location, keytab contents:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 04/03/24 03:14:34 ldap/[email protected]
0 04/03/24 03:14:34 ldap/[email protected]
My ticket cache has a correct user, user1
/ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
04/03/24 04:04:57 04/03/24 16:04:57 krbtgt/[email protected]
renew until 04/10/24 04:04:55
What am I missing?
Upvotes: -1
Views: 757
Answers (1)
Reputation: 69
SOLVED!
To get more info from the error, I restarted my OpenLDAP with debug enabled using the -d 1 flag.
/usr/sbin/slapd -h "ldap:/// ldapi:///" -d 1
Then attempted the ldapsearch with GSSAPI again, now the OpenLDAP debug gave me the answer
Root Problem:
SASL [conn=1000] Failure: GSSAPI Error: Miscellaneous failure (see text) (Failed to find ldap/[email protected](kvno 1) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96))
I had ldap/[email protected] in the keytab file, but I had incorrectly set the kvno to 0, when I should have set it to 1.
After adding ldap/[email protected] to the keytab again with kvno 1, my GSSAPI auth worked as expected!
/ # ldapsearch -LLL -Y GSSAPI -H ldap://ldap -s "base" -b "dc=example,dc=com"
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: exmaple.com
dc: example
Upvotes: 1
Related Questions
- SASL GSSAPI: ldap_sasl_interactive_bind : Other error (80) no credentials supplied
- Exception - Client not found in Kerberos database (6) with spnego-Kerberos IWA
- Kerberos aes-256 encryption not working
- openldap + kerberos - unable to reach any KDC in realm
- JMeter LDAP tests using GSSAPI/kerberos credentials
- Server ldap/[email protected] not found in Kerberos database
- Issue while configuring Kerberos on Websphere Application Server