1

In a Debian GNU/Linux environment, I am not able to have SASL work with kerberos:

sudo /usr/sbin/sasl-sample-server -m GSSAPI -s ldap
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: [...a lot of lines trimmed...]
got 'GSSAPI'
sasl-sample-server: SASL Other: GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
sasl-sample-server: Starting SASL negotiation: generic failure (generic failure)

Documentation says it's the service that can't access keytab.

But:

  • sasl-sample-server is run by root, so there shuldn't be any permission issues;
  • checking the command with strace I can confirm the file /etc/krb5.keytab is accessed.

I am running out of ideas: what should I check now?

The message error is two-folded: I checked mainly the or the credentials were unavailable or inaccessible part; what does the No credentials were supplied part mean?

473183469
  • 1,350
  • 1
  • 12
  • 23

1 Answers1

2

I would double check if you have all necessary libraries:

dpkg -l | grep gssapi
ii  libgssapi-krb5-2:amd64            1.12.1+dfsg-19+deb8u2         amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libgssapi3-heimdal:amd64          1.6~rc2+dfsg-9                amd64        Heimdal Kerberos - GSSAPI support library
ii  libsasl2-modules-gssapi-mit:amd64 2.1.26.dfsg1-13+deb8u1        amd64        Cyrus SASL - pluggable authentication modules (GSSAPI)

pay particular attention to: libsasl2-modules-gssapi-mit

Francesco Malvezzi
  • 396
  • 2
  • 11