shorewalker
commented
6 years ago In the meantime slapd-k5start provides a reasonable, if less secure, way to ensure that slapd has a valid kerberos credential cache.
Open shorewalker opened 6 years ago
shorewalker
commented
6 years ago In the meantime slapd-k5start provides a reasonable, if less secure, way to ensure that slapd has a valid kerberos credential cache.
shorewalker
commented
6 years ago Apr 16 21:52:13 syncrepl-client gssproxy: [2018/04/17 04:52:13]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "slapd", euid: 55,socket: (null)
Apr 16 21:52:13 syncrepl-client gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { "ldap/syncrepl-client.example.com@EXAMPLE.COM" [ { "ldap/syncrepl-client.example.com@EXAMPLE.COM" { 1 2 840 113554 1 2 2 } INITIATE 42840 0 } ] [ ..AC...5.6..A...... ] 0 } add_cred: 0 desired_name: <Null> time_req: 0 desired_mechs: { } cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
Apr 16 21:52:13 syncrepl-client gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 0 { 1 2 840 113554 1 2 2 } 0 "" "" [ ] } output_cred_handle: { "ldap/syncrepl-client.example.com@EXAMPLE.COM" [ { "ldap/syncrepl-client.example.com@EXAMPLE.COM" { 1 2 840 113554 1 2 2 } INITIATE 42840 0 } ] [ ..AC...5.6..A...... ] 0 } )
Apr 16 21:52:13 syncrepl-client gssproxy: [2018/04/17 04:52:13]: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service "slapd", euid: 55,socket: (null)
Apr 16 21:52:13 syncrepl-client gssproxy: GSSX_ARG_INIT_SEC_CONTEXT( call_ctx: { "" [ ] } context_handle: <Null> cred_handle: { "ldap/syncrepl-client.example.com@EXAMPLE.COM" [ { "ldap/syncrepl-client.example.com@EXAMPLE.COM" { 1 2 840 113554 1 2 2 } INITIATE 42840 0 } ] [ ..AC...5.6..A...... ] 0 } target_name: "ldap@syncrepl-server.example.com" mech_type: { 1 2 840 113554 1 2 2 } req_flags: 58 time_req: 0 input_cb: <Null> input_token: <Null> [ { [ sync.modified.cr... ] [ 64656661756c740 ] } ] )
Apr 16 21:52:13 syncrepl-client gssproxy: [2018/04/17 04:52:13]: Failure while checking credentials
Apr 16 21:52:13 syncrepl-client gssproxy: GSSX_RES_INIT_SEC_CONTEXT( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639053 "Unspecified GSS failure. Minor code may provide more information" "" [ ] } context_handle: <Null> output_token: <Null> )
Apr 16 21:52:13 syncrepl-client slapd[13427]: slap_client_connect: URI=ldap://syncrepl-server.example.com ldap_sasl_interactive_bind_s failed (-2)
Apr 16 21:52:13 syncrepl-client slapd[13427]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Apr 16 21:52:13 syncrepl-client slapd[13427]: do_syncrepl: rid=001 rc -2 retrying
gssproxy credentials are unusable by slapd.
krbtgt is successfully obtained by gssproxy.