[Freeipa-devel] GSSAPI/krb5 troubles after dirsrv restart
Thomas Sailer
t.sailer at alumni.ethz.ch
Thu Oct 9 13:54:12 UTC 2008
After restarting dirsrv, I'm getting the following:
# ldapsearch -Y GSSAPI -b "dc=xxxxx,dc=com"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Permission denied)
Needless to say, the ipa-* command line tools and the webgui ceased to
work.
The dirsrv log shows the following:
[09/Oct/2008:15:46:19 +0200] conn=26 fd=72 slot=72 connection from 127.0.0.1 to 127.0.0.1
[09/Oct/2008:15:46:19 +0200] conn=26 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Oct/2008:15:46:19 +0200] conn=26 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[09/Oct/2008:15:46:19 +0200] conn=26 op=-1 fd=72 closed - B1
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at XXXXX.COM
Valid starting Expires Service principal
10/09/08 15:00:06 10/11/08 15:00:03 krbtgt/XXXXX.COM at XXXXX.COM
10/09/08 15:00:12 10/11/08 15:00:03 HTTP/xxx.xxxxx.com at XXXXX.COM
10/09/08 15:08:44 10/11/08 15:00:03 ldap/xxx.xxxxx.com at XXXXX.COM
After an attempt at downgrading to the last known to work packages:
# rpm -qa 'fedora-ds*'
fedora-ds-dsgw-1.1.1-1.fc8
fedora-ds-admin-1.1.5-1.fc8
fedora-ds-base-1.1.1-1.fc8
fedora-ds-base-devel-1.1.1-1.fc8
fedora-ds-console-1.1.1-3.fc8
fedora-ds-1.1.1-2.fc8
fedora-ds-admin-console-1.1.1-3.fc8
However, it didn't work with the current up-to-date fc8 packages either.
Does anyone have any idea what went wrong, or how to better locate the
culprit?
Thanks,
Tom
More information about the Freeipa-devel
mailing list