openldap-sasl fails after 8.1 upgrade
Leon Meßner
l.messner at physik.tu-berlin.de
Wed Aug 25 19:47:19 UTC 2010
On Wed, Aug 25, 2010 at 10:34:27PM +0300, Reko Turja wrote:
> Sadly the GSSAPI/Kerberos has been broken in 8.x for a good while now.
> You can either install the heimdal or MIT port, although getting that
> to work in stead of the base can be messy.
>
> kern/147454 PR actually has a working fix, although I'm not sure if it
> applies cleanly as it's pretty big - I managed to get working GSSAPI
> with it on 8.1 PRERELEASE.
I'll try that.
> See also discussion at
> http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
Following the link in the other thread to
http://lists.freebsd.org/pipermail/freebsd-stable/2010-February/055017.html
i made the changes to /usr/bin/krb5-config:
# diff /usr/bin/krb5-config /usr/bin/krb5-config.org
96c96
< lib_flags="$lib_flags -lgssapi -lgssapi_spnego -lgssapi_krb5
-lheimntlm"
---
> lib_flags="$lib_flags -lgssapi -lheimntlm"
After that, rebuilding openldap+dependencies makes it work again. I
suppose this is quite dirty and i have to see if it introduces other
problems.
Thanks,
leon
>
> --------------------------------------------------
> From: "LeonMeßner" <l.messner at physik.tu-berlin.de>
> Sent: Wednesday, August 25, 2010 7:04 PM
> To: <freebsd-questions at freebsd.org>
> Subject: openldap-sasl fails after 8.1 upgrade
>
> > Hi,
> >
> > after binary upgrading to freebsd8.1 from 7.2 i encounter an error
> > with openldap24, cyrus-sasl2 and kerberos:
> >
> > # ldapsearch uid=whatever
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> > error (80)
> > additional info: SASL(-1): generic failure: GSSAPI Error: No
> > credentials were supplied, or the credentials were unavailable or
> > inaccessible. (unknown mech-code 0 for mech unknown)
> >
> > Simple binding to the ldap server does work. The KDC behind this is
> > still on kerberos 0.6.3 (FreeBSD7.3) and there have been reported
> > Problems with such a setup, but as i can login through ssh and
> > kerberos
> > i suppose these [1] don't apply here (also already tested the
> > proposed
> > changes).
> >
> > If anybody got any insight please share.
> >
> > Thanks in Advance,
> > Leon
> >
> > [1]
> > http://lists.freebsd.org/pipermail/freebsd-stable/2009-October/052217.html
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> >
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list