by Hello,
I'm not sure if this is the correct newsgroup for this question,
but I would appreciate any help in getting it where it needs to be.
I'm running into an issue with binding to an Active Directory
server using SASL and GSSAPI. I have followed the instructions on The
Hut on how to set up a Linux workstation to authenticate to an AD
server, but I keep getting the same error message:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous
failure (see text) (Message stream modified)
I followed the instructions on
http://www.hut.fi/cc/docs/kerberos/nss_ldap.html, but they cover using
MIT Kerberos instead of using Heimdal Kerberos.
I am running SuSE 9.0 on the workstation, and using all of the
packages included with SuSE (which, other than Heimdal, exceeded the
minimum version number required).
The version numbers for the packages I'm using are:
Heimdal: 0.6-75 i586
OpenLDAP: 2.1.22-73 i586
cyrus-sasl: 2.1.15-65 i586
cyrus-sasl-gssapi: 2.1.15-65 i586
OpenSSL: 0.9.7b-74 i586
nss_ldap: 207-88 i586
Here is my /etc/ldap.conf
----------------------------------------------------------------
# Configuration for pam_ldap
#
# Modified for MS Active Directory
# Active directory servers
host 192.168.0.1
# Search base
base DC=mydomain,DC=com
# LDAP version 3
ldap_version 3
# Configure the CA Certificate file
tls_cacert /etc/ssl/certs/ca-bundle.crt
# Configure the CA Certificate directory
tls_cacertdir /etc/ssl/certs
# Use SASL for all authentications
use_sasl on
# SASL authorization ID
# Bind DN (this might not be needed at all?).
# This should the the DN of the account you made
# for your workstation.
binddn CN=ldap,CN=Users,DC=mydomain,DC=com
bindpw <secret>
# Search scope
scope sub
# Break of the connection after one hour of idle time
idle_timelimit 3600
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ad
# Bases for the searches. These should be the OU's
# you create the user accounts in.
nss_base_passwd cn=Users,dc=mydomain,dc=com
nss_base_shadow cn=Users,dc=mydomain,dc=com
nss_base_group cn=Users,dc=mydomain,dc=com
nss_map_objectclass posixGroup Group
nss_map_attribute cn sAMAccountName
# SSL enabled
ssl start_tls
------------------------------------------------------------------
And here is my /etc/krb5.conf
------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.COM = {
kdc = ad.mydomain.com:88
admin_server = ad.mydomain.com:464
[domain_realm]Quote:}
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
--------------------------------------------------------------Quote:}
The only thing that isn't working is the SASL/GSSAPI authentication.
I am able to bind to and search the AD LDAP directory using simple
binding, but I keep getting the local config error whenever I try
using SASL/GSSAPI.
Using kinit, I am able to successfully obtain a Kerberos 5 ticket. I
have also imported the keytab from the AD server (using ktpass on the
AD server), and doing at 'ktutil list', it shows the machine's
principal in the keytab.
For the life of me I can't figure out what is going on with this
issue. I have not been able to find any information on this issue.
Any help will be GREATLY appreciated.
Thanks,
Mike Hilty