I have got problems with GSSAPI authentication to OpenLDAP:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No
credentials were supplied, or the credentials were unavailable or
inaccessible. (unknown mech-code 0 for mech unknown)
There were at least two discussions, multiple bug reports, and patches
about broken GSSAPI on FreeBSD 8, the longest (I found) starting here:
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
After reading through these discussions, I do not know what the proper
fix is -- I would like to change as little as possible introducing SASL
authentication to a (production) OpenLDAP server.
I have got: An i386 kerberos server, a ldap server in a jail on i386,
some amd64 clients -- all running 8.1-RELEASE. Eventually there need to
be some Debian/Ubuntu clients using GSSAPI/SASL, too.
What do I need to "fix"? Just the ldap server? Is it enough to change
the jail or does the host needs to be patches, too? Or do I need to fix
the client, too? The kerberos server?
From the discussion, multiple fixes were possible. Patching libgssapi
and reinstalling everything depending on it (what?), installing the
heimdal-1.0 port (while FreeBSD 8 comes with heimdal-1.1), installing an
unofficial heimdal-1.2 port, ...
Is that correct? Anything new after the discussion in July?
From the discussion, some patches should already be in 8-STABLE, but I
could not find the revision (after 8.1-RELEASE).
If I upgraded the ldap jail to 8-STABLE, I guess the host needs to be
updated, too. Hence I would prefer to just change ports or update single
libraries.
Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
libgssapi patch? With the heimdal-1.2 port?
Thanks,
Jan Henrik
Am 01.09.2010 18:33, schrieb Jan Henrik Sylvester:> I have got problems with GSSAPI authentication to OpenLDAP: > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) > error (80) > additional info: SASL(-1): generic failure: GSSAPI Error: No > credentials were supplied, or the credentials were unavailable or > inaccessible. (unknown mech-code 0 for mech unknown)Did you run kinit to obtain tickets? You didn't mention that.
On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote:> I have got problems with GSSAPI authentication to OpenLDAP: > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) > error (80) > additional info: SASL(-1): generic failure: GSSAPI Error: > No credentials were supplied, or the credentials were unavailable or > inaccessible. (unknown mech-code 0 for mech unknown) > > There were at least two discussions, multiple bug reports, and > patches about broken GSSAPI on FreeBSD 8, the longest (I found) > starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html > > After reading through these discussions, I do not know what the > proper fix is -- I would like to change as little as possible > introducing SASL authentication to a (production) OpenLDAP server. > > I have got: An i386 kerberos server, a ldap server in a jail on > i386, some amd64 clients -- all running 8.1-RELEASE. Eventually > there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too. > > What do I need to "fix"? Just the ldap server? Is it enough to > change the jail or does the host needs to be patches, too? Or do I > need to fix the client, too? The kerberos server? > > From the discussion, multiple fixes were possible. Patching > libgssapi and reinstalling everything depending on it (what?), > installing the heimdal-1.0 port (while FreeBSD 8 comes with > heimdal-1.1), installing an unofficial heimdal-1.2 port, ... > > Is that correct? Anything new after the discussion in July? > > From the discussion, some patches should already be in 8-STABLE, but > I could not find the revision (after 8.1-RELEASE). > > If I upgraded the ldap jail to 8-STABLE, I guess the host needs to > be updated, too. Hence I would prefer to just change ports or update > single libraries. > > Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the > libgssapi patch? With the heimdal-1.2 port?Can you please try the patch I proposed and see if it improves your situation? Thanks. http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
-------------------------------------------------- From: "Jan Henrik Sylvester" <me@janh.de> Sent: Wednesday, September 01, 2010 7:33 PM To: "stable-list freebsd" <freebsd-stable@freebsd.org> Subject: GSSAPI (for OpenLDAP) on FreeBSD 8?> Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the > libgssapi patch? With the heimdal-1.2 port?I got running and fully functional Heimdal/GSSAPI setup with Benjamins patch from http://www.freebsd.org/cgi/query-pr.cgi?pr=147454&cat=kern, although I didn't test it with LDAP. Jeremys patch as far as I know removes the symptom, but it doesn't fix the cause, which is completely missing heimdal code in the base system preventing the functional operation of heimdal. -Reko
On 09/02/2010 13:50, Jeremy Chadwick wrote:> On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote: >> I have got problems with GSSAPI authentication to OpenLDAP: >> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) >> error (80) >> additional info: SASL(-1): generic failure: GSSAPI Error: >> No credentials were supplied, or the credentials were unavailable or >> inaccessible. (unknown mech-code 0 for mech unknown) >> >> There were at least two discussions, multiple bug reports, and >> patches about broken GSSAPI on FreeBSD 8, the longest (I found) >> starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html >> >> After reading through these discussions, I do not know what the >> proper fix is -- I would like to change as little as possible >> introducing SASL authentication to a (production) OpenLDAP server. >> >> I have got: An i386 kerberos server, a ldap server in a jail on >> i386, some amd64 clients -- all running 8.1-RELEASE. Eventually >> there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too. >> >> What do I need to "fix"? Just the ldap server? Is it enough to >> change the jail or does the host needs to be patches, too? Or do I >> need to fix the client, too? The kerberos server? >> >> From the discussion, multiple fixes were possible. Patching >> libgssapi and reinstalling everything depending on it (what?), >> installing the heimdal-1.0 port (while FreeBSD 8 comes with >> heimdal-1.1), installing an unofficial heimdal-1.2 port, ... >> >> Is that correct? Anything new after the discussion in July? >> >> From the discussion, some patches should already be in 8-STABLE, but >> I could not find the revision (after 8.1-RELEASE). >> >> If I upgraded the ldap jail to 8-STABLE, I guess the host needs to >> be updated, too. Hence I would prefer to just change ports or update >> single libraries. >> >> Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the >> libgssapi patch? With the heimdal-1.2 port? > > Can you please try the patch I proposed and see if it improves your > situation? Thanks. > > http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.htmlI had already tried the gss_release_buffer patch. It fixes that crash doing the GSSAPI operation from i386 and brings i386 in par with amd64 -- to the error message I mentioned above. I have also tried the change to /usr/bin/krb5-config before building OpenLDAP -- with no effect, either. I have not tried the "big" libgssapi patch from kern/147454 as I was hoping to do a smaller change. Cheers, Jan Henrik