/etc/krb5.keytab file format for kerberos ldap setup

Kihara Muriithi william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri May 11 15:58:27 UTC 2007 

Hi,
  I am trying to integrate kerberos through sasl (GSSAPI) to openldap
and I must be doing something wrong as its not working. I want to lay
out what I have done and hope someone will flag my mistake. The setup
is currently on fedora 6 with all rpms - openldap, sasl, and kerberos
straight from fedora repos. I have checked that sasl-gssapi is
installed and openldap is compiled with gssapi ability. I am also
certain that krb5-server and clients are properly setup as kinit
utility returns the expecte output, the created principle on that
realm.

  These are the files that I have edited for sasl configuration.
/etc/sasl2/slapd.conf and in this file, this is what I inserted
pwcheck_method:saslauthd
on /etc/sysconfig/saslauthd, I added this line
MECH=kerberos5

This seems to be the only configuration I need to do for sasl. I
wonder if I could have overlooked anything.

For /etc/openldap/slap.conf
sasl-realm      EXAMPLE.ORG
sasl-host       kerberos.example.org
rootdn          "uid=my-name,cn=example.org,cn=gssapi,cn=auth"

Now, little is in the logs
May 11 18:06:33 kerberos.example.org krb5kdc[6907](info): TGS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.30.2.179: UNKNOWN_SERVER: authtime
1178894838,  my-name-eoiNrCBZWh9F7rqys1CUDA at public.gmane.org for krbtgt/COM-eoiNrCBZWh9F7rqys1CUDA at public.gmane.org, Server
not found in Kerberos database

There is pages and pages of this error log. Extensive googling seem to
imply the error may be due to lack or improper krb5.keytab file. I do
have on though and this is its format
[kdc]
    database = {
        realm = EXAMPLE.ORG
        dbname = ldap:dc=example,dc=org
        mkey_file = /var/heimdal/m-key
    }

 To be frank, I don't know if this is the proper format  and meekly
ask if someone who have a working setup can paste it on this group.
That would clarify a lot.

Finally, when one is using kerberos, do one need to have every user on
kerberos that exist on ldap? If only one principle is needed, should
there be a corresponding user in the ldap and does the user (on ldap)
nee a specific format?

I would be grateful for any advice, guidance on can offer from
previous experience

Thanks
William
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list