I have a fedora client that is authenticating to a centos server running 389 ds and kerberos
I can run kinit <my-user-principal> on the fedora client successfully and get a ticket, but no matter what I try I just cannot authenticate with kerberos to the 389 server.
whenever I try ldapwhoami -I -Y GSSAPI I get the following error:
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: test@LAB2.LOCAL
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)
Doing a klist I can see I have my tickets:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@LAB2.LOCAL
Valid starting Expires Service principal
01/09/13 00:26:58 01/10/13 00:26:58 krbtgt/LAB2.LOCAL@LAB2.LOCAL
renew until 01/09/13 00:26:58
01/09/13 00:27:45 01/10/13 00:26:58 ldap/dp100srv1.lab2.local@LAB2.LOCAL
renew until 01/09/13 00:26:58
I edited the nsslapd-accesslog-level attribute of cn=config to be 260 and when I checked the access log I found this (172.16.86.200 is the IP of my fedora client):
tail -n 15 /var/log/dirsrv/slapd-dp100srv1/access
[09/Jan/2013:00:58:13 -0500] conn=130 fd=64 slot=64 connection from 172.16.86.200 to 172.16.86.100
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 UNBIND
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 fd=64 closed - U1
What is BIND dn="" about? That can't be right, but according to the 389 docs the default sasl maps that are already configured should be enough for my purposes.
Where else can I look to troubleshoot this?
