Environment
eDirectory 886
NMAS 3.3.x
GSSAPI Method
NMAS 3.3.x
GSSAPI Method
Situation
Installed the GSSAPI method, configured the realm, and uploaded the key to the principal in eDirectory.
Using the GSSAPI method with a LDAPSEARCH fails (ldapsearch -Y GSSAPI -b "" -s base)
GSS_Accept_sec_context: Key table entry not found
ERROR: -1647 SASL_DoMechanism: NMAS_InvokeMechanism
Using the GSSAPI method with a LDAPSEARCH fails (ldapsearch -Y GSSAPI -b "" -s base)
GSS_Accept_sec_context: Key table entry not found
ERROR: -1647 SASL_DoMechanism: NMAS_InvokeMechanism
Resolution
Two principals with the same name were created in different context. One in the default context and a second under the desired context. The key was imported into the second principal created. The authentication is attempting to use the principal created in the default context.
When a principal is created and the Principal Container is not specified, by default the principal will be created in kerberos.security.
Ensure there is only one object with the name of the principal created in the tree.
When a principal is created and the Principal Container is not specified, by default the principal will be created in kerberos.security.
Ensure there is only one object with the name of the principal created in the tree.
Additional Information
example of a ndstrace.log taken with +time, tags, ldap, and nmas
2462861072 LDAP: [2012/06/15 17:52:59.444] New cleartext connection 0xe330700 from 127.0.0.1:37884, monitor = 0xffffffff92dc5710, index = 4
2303698704 LDAP: [2012/06/15 17:52:59.451] (127.0.0.1:37884)(0x0001:0x60) DoBind on connection 0xe330700
2303698704 LDAP: [2012/06/15 17:52:59.451] (127.0.0.1:37884)(0x0001:0x60) Bind name:NULL, version:3, authentication:GSSAPI
2303698704 NMAS: [2012/06/15 17:52:59.451] 262187: Create NMAS Session
2303698704 NMAS: [2012/06/15 17:52:59.451] 262187: SASL GSSAPI started
2303698704 NMAS: [2012/06/15 17:52:59.454] 262187: GSS_Accept_sec_context: Unspecified GSS failure. Minor code may provide more information
2303698704 NMAS: [2012/06/15 17:52:59.462] 262187: GSS_Accept_sec_context: Key table entry not found
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: NMAS Audit with Audit PA not installed
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: NMAS Audit with XDAS not installed
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: ERROR: -1647 SASL_DoMechanism: NMAS_InvokeMechanism
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: Client Session Destroy Request
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: Destroy NMAS Session
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: Aborted Session Destroyed (with MAF)
2303698704 LDAP: [2012/06/15 17:52:59.463] Environment variable is set to not put NMAS NetworkAddress:
2303698704 LDAP: [2012/06/15 17:52:59.463] (127.0.0.1:37884)(0x0001:0x60) Failed to authenticate full context on connection 0xe330700, err = -1647 (0xfffffffffffff991)
2303698704 LDAP: [2012/06/15 17:52:59.463] (127.0.0.1:37884)(0x0001:0x60) Sending operation result 49:"":"" to connection 0xe330700
2463913744 LDAP: [2012/06/15 17:52:59.467] Monitor 0xffffffff92dc5710 found connection 0xe330700 socket closed, err = -5871, 0 of 0 bytes read
2463913744 LDAP: [2012/06/15 17:52:59.467] Monitor 0xffffffff92dc5710 initiating close for connection 0xe330700
2477598480 LDAP: [2012/06/15 17:52:59.467] Server closing connection 0xe330700, socket error = -5871
2477598480 LDAP: [2012/06/15 17:52:59.467] Connection 0xe330700 closed
2462861072 LDAP: [2012/06/15 17:52:59.444] New cleartext connection 0xe330700 from 127.0.0.1:37884, monitor = 0xffffffff92dc5710, index = 4
2303698704 LDAP: [2012/06/15 17:52:59.451] (127.0.0.1:37884)(0x0001:0x60) DoBind on connection 0xe330700
2303698704 LDAP: [2012/06/15 17:52:59.451] (127.0.0.1:37884)(0x0001:0x60) Bind name:NULL, version:3, authentication:GSSAPI
2303698704 NMAS: [2012/06/15 17:52:59.451] 262187: Create NMAS Session
2303698704 NMAS: [2012/06/15 17:52:59.451] 262187: SASL GSSAPI started
2303698704 NMAS: [2012/06/15 17:52:59.454] 262187: GSS_Accept_sec_context: Unspecified GSS failure. Minor code may provide more information
2303698704 NMAS: [2012/06/15 17:52:59.462] 262187: GSS_Accept_sec_context: Key table entry not found
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: NMAS Audit with Audit PA not installed
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: NMAS Audit with XDAS not installed
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: ERROR: -1647 SASL_DoMechanism: NMAS_InvokeMechanism
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: Client Session Destroy Request
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: Destroy NMAS Session
2303698704 NMAS: [2012/06/15 17:52:59.463] 262187: Aborted Session Destroyed (with MAF)
2303698704 LDAP: [2012/06/15 17:52:59.463] Environment variable is set to not put NMAS NetworkAddress:
2303698704 LDAP: [2012/06/15 17:52:59.463] (127.0.0.1:37884)(0x0001:0x60) Failed to authenticate full context on connection 0xe330700, err = -1647 (0xfffffffffffff991)
2303698704 LDAP: [2012/06/15 17:52:59.463] (127.0.0.1:37884)(0x0001:0x60) Sending operation result 49:"":"" to connection 0xe330700
2463913744 LDAP: [2012/06/15 17:52:59.467] Monitor 0xffffffff92dc5710 found connection 0xe330700 socket closed, err = -5871, 0 of 0 bytes read
2463913744 LDAP: [2012/06/15 17:52:59.467] Monitor 0xffffffff92dc5710 initiating close for connection 0xe330700
2477598480 LDAP: [2012/06/15 17:52:59.467] Server closing connection 0xe330700, socket error = -5871
2477598480 LDAP: [2012/06/15 17:52:59.467] Connection 0xe330700 closed