[Admin-ml] Key table entry not found

Fabien COMBERNOUS fcombernous at kezia.com
Ven 8 Juil 15:09:58 CEST 2011


Bonjour,

J'ai deux serveurs. L'un hébergeant l'OD maitre, l'autre l'OD réplique. 
Sur la réplique la commande ldapsearch fonctionne comme attendue.

Mais sur le maitre, voilà ce que j'obtiens avec le debug activé :

server:~ admin$ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
...
res_errno: 80, res_error:<SASL(-1): generic failure: GSSAPI
     Error: Unspecified GSS failure.  Minor code may provide more
     information (Key table entry not found)>, res_matched:<>

...

(La trace debug du ldapsearch est mise en fin de message)

A la vue du message "keytable entry not found", j'ai essayé d'utiliser 
kadmin et vérifier que le principe root at SERVER.LAN existe. Mais, en 
utilisant kadmin j'ai eu ce message :

server:~ admin$ kadmin -proot at SERVER.LAN
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principalroot at SERVER.LAN  with password.
Password forroot at SERVER.LAN:
kadmin: Communication failure with server while initializing kadmin interface
server:~ admin$

J'ai vérifié le propriétaire, le groupe, et les permission du dit fichier de log. En comparant avec une autre install il y avait des différences. I mis les permission 600, root, wheel. Mais cela n'a rien changé j'obtient toujours le message d'erreur.

Du coup j'ai utilisé kadmin.local et j'ai pu vérifier que root at SERVER.LAN existe dans la liste.

Vous avez des idées de debug ?



PS :
server:~ admin$ kinit root
Please enter the password for root at SERVER.LAN:
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: root at SERVER.LAN

Valid Starting     Expires            Service Principal
07/07/11 17:50:19  07/08/11 03:50:09 krbtgt/SERVER.LAN at SERVER.LAN
     renew until 07/14/11 17:50:19


server:~ admin$ ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
ldap_create
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0x100117f70 msgid 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 1 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
    Empty
   ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 56 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-entry
wait4msg continue ld 0x100117f70 msgid 1 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
  * msgid 1,  type 100
   ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 1 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x100117f70 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg:  mark request completed, ld 0x100117f70 msgid 1
request done: ld 0x100117f70 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
adding response ld 0x100117f70 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: CRAM-MD5 GSSAPI
ldap_int_sasl_bind: CRAM-MD5 GSSAPI
ldap_int_sasl_open: host=server.lan
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 703 bytes to sd 3
ldap_result ld 0x100117f70 msgid 2
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
wait4msg ld 0x100117f70 msgid 2 (infinite timeout)
wait4msg continue ld 0x100117f70 msgid 2 all 1
** ld 0x100117f70 Connections:
* host: localhost  port: 389  (default)
   refcnt: 2  status: Connected
   last used: Thu Jul  7 17:51:40 2011


** ld 0x100117f70 Outstanding Requests:
  * msgid 2,  origid 2, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x100117f70 request count 1 (abandoned 0)
** ld 0x100117f70 Red-Black Tree Response Queue:
    Empty
   ld 0x100117f70 response count 1
ldap_chkResponseList ld 0x100117f70 msgid 2 all 1
ldap_chkResponseList returns ld 0x100117f70 NULL
ldap_int_select
read1msg: ld 0x100117f70 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 148 contents:
read1msg: ld 0x100117f70 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x100117f70 0 new referrals
read1msg:  mark request completed, ld 0x100117f70 msgid 2
request done: ld 0x100117f70 msgid 2
res_errno: 80, res_error: <SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Key 
table entry not found)>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
error (80)
server:~ admin$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: root at SERVER.LAN

Valid Starting     Expires            Service Principal
07/07/11 17:50:19  07/08/11 03:50:09 krbtgt/SERVER.LAN at SERVER.LAN
     renew until 07/14/11 17:50:19

07/07/11 17:51:40  07/08/11 03:50:09 ldap/SERVER.LAN at SERVER.LAN
     renew until 07/14/11 17:50:19



-- 
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group



Plus d'informations sur la liste de diffusion Admin-ml