Hi There,

I have an openldap master (hosted by server) and an openldap replica
(hosted by replica). Authentication use SASL/GSSAPI with kerberos.

On the master i get the following output :
server:~ admin$ kinit root
Please enter the password for ***@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific )
error (80)


On the replica all looks fine :
replica:~ admin$ kinit root
Please enter the password for ***@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
SASL username: ***@SERVER.LAN
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=mounts,dc=server,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
etc ...

I saw some thread on mailing list that say to take care of owner, groups
and permissions of files krb5.keytab and database. All looks good in
this side.

Any other areas to check ?

Regards,
Here a test. I didn't receive my own mail.

This mail was it received by the list ?

-------- Original Message --------
Subject: ldap_sasl_interactive_bind_s: Other (e.g., implementation
specific ) error (80)
Date: Tue, 05 Jul 2011 17:52:54 +0200
From: Fabien COMBERNOUS <***@kezia.com>
To: openldap-***@openldap.org



Hi There,

I have an openldap master (hosted by server) and an openldap replica
(hosted by replica). Authentication use SASL/GSSAPI with kerberos.

On the master i get the following output :
server:~ admin$ kinit root
Please enter the password for ***@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific )
error (80)


On the replica all looks fine :
replica:~ admin$ kinit root
Please enter the password for ***@SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
SASL username: ***@SERVER.LAN
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base<cn=mounts,dc=server,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
etc ...

I saw some thread on mailing list that say to take care of owner, groups
and permissions of files krb5.keytab and database. All looks good in
this side.

Any other areas to check ?

Regards,
What does your /etc/ldap.conf and ~/.ldaprc look like?

You might try adding a '-d -1' to your ldapsearch command for additional
debugging information.

What does you credentials cache look like after running the ldapsearch? Did
you receive an ldap service ticket for the replica server? Are you sure
you're referencing the replica by name, and not by IP address in your
ldap.conf?

Do you see any additional errors in your local auth-facility syslog file?
Do you see anything relevant in the syslog of your Kerberos server?
Hi there,

Thank you Dan to provide help.
With the debug i get the following message

res_errno: 80, res_error: <SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Key
table entry not found)>, res_matched: <>

(Remark : As information i provide the entire debug at the end of this
message)

Because of the message "keytable entry not found", i tried to use kadmin
and check if principle with root exists. But by using kadmin i get now
this message :

server:~ admin$ kadmin -p ***@SERVER.LAN
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principal ***@SERVER.LAN with password.
Password for ***@SERVER.LAN:
kadmin: Communication failure with server while initializing kadmin interface
server:~ admin$

I check the logfile owner, group owner, and permission. Then i compared with one other kerberos server. Permission and owner was different. I set permission identically. But nothing was changed.

With kadmin.local i checked and ***@SERVER.LAN exists in the list.

So it looks more a kerberos issues than a ldap one.


Regards,


PS :
server:~ admin$ kinit root
Please enter the password for ***@SERVER.LAN:
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: ***@SERVER.LAN

Valid Starting Expires Service Principal
07/07/11 17:50:19 07/08/11 03:50:09 krbtgt/***@SERVER.LAN
renew until 07/14/11 17:50:19


server:~ admin$ ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
ldap_create
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0x100117f70 msgid 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 1 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jul 7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
Empty
ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-entry
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jul 7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
* msgid 1, type 100
ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg: mark request completed, ld 0x100117f70 msgid 1
request done: ld 0x100117f70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
adding response ld 0x100117f70 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: CRAM-MD5 GSSAPI
ldap_int_sasl_bind: CRAM-MD5 GSSAPI
ldap_int_sasl_open: host=server.lan
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 703 bytes to sd 3
ldap_result ld 0x100117f70 msgid 2
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 2 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 2 all 1
** ld 0x100117f70 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jul 7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
Empty
ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
read1msg: ld 0x100117f70 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg: mark request completed, ld 0x100117f70 msgid 2
request done: ld 0x100117f70 msgid 2
res_errno: 80, res_error: <SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Key
table entry not found)>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
error (80)
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: ***@SERVER.LAN

Valid Starting Expires Service Principal
07/07/11 17:50:19 07/08/11 03:50:09 krbtgt/***@SERVER.LAN
renew until 07/14/11 17:50:19

07/07/11 17:51:40 07/08/11 03:50:09 ldap/***@SERVER.LAN
renew until 07/14/11 17:50:19