[Freeipa-devel] GSSAPI/krb5 troubles after dirsrv restart

Rob Crittenden rcritten at redhat.com
Thu Oct 9 14:04:09 UTC 2008 

Thomas Sailer wrote:
> After restarting dirsrv, I'm getting the following:
> # ldapsearch -Y GSSAPI -b "dc=xxxxx,dc=com"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information
> (Permission denied)
> 
> Needless to say, the ipa-* command line tools and the webgui ceased to
> work.
> 
> The dirsrv log shows the following:
> [09/Oct/2008:15:46:19 +0200] conn=26 fd=72 slot=72 connection from 127.0.0.1 to 127.0.0.1
> [09/Oct/2008:15:46:19 +0200] conn=26 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [09/Oct/2008:15:46:19 +0200] conn=26 op=0 RESULT err=49 tag=97 nentries=0 etime=0
> [09/Oct/2008:15:46:19 +0200] conn=26 op=-1 fd=72 closed - B1
> 
> 
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at XXXXX.COM
> 
> Valid starting     Expires            Service principal
> 10/09/08 15:00:06  10/11/08 15:00:03  krbtgt/XXXXX.COM at XXXXX.COM
> 10/09/08 15:00:12  10/11/08 15:00:03  HTTP/xxx.xxxxx.com at XXXXX.COM
> 10/09/08 15:08:44  10/11/08 15:00:03  ldap/xxx.xxxxx.com at XXXXX.COM
> 
> After an attempt at downgrading to the last known to work packages:
> # rpm -qa 'fedora-ds*'
> fedora-ds-dsgw-1.1.1-1.fc8
> fedora-ds-admin-1.1.5-1.fc8
> fedora-ds-base-1.1.1-1.fc8
> fedora-ds-base-devel-1.1.1-1.fc8
> fedora-ds-console-1.1.1-3.fc8
> fedora-ds-1.1.1-2.fc8
> fedora-ds-admin-console-1.1.1-3.fc8
> 
> However, it didn't work with the current up-to-date fc8 packages either.
> 
> Does anyone have any idea what went wrong, or how to better locate the
> culprit?

Check the owner and/or permissions of /etc/dirsrv/ds.keytab.

It should be owned by the user that FDS runs as and be mode 0600. Mine 
looks like:

-rw------- 1 dirsrv dirsrv 436 2008-09-17 23:03 /etc/dirsrv/ds.keytab

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081009/a7bb3ae7/attachment.bin>

More information about the Freeipa-devel mailing list