From owner-freebsd-stable@FreeBSD.ORG Thu Sep 2 11:50:50 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35C2A10657D3 for ; Thu, 2 Sep 2010 11:50:50 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id 1C53E8FC0C for ; Thu, 2 Sep 2010 11:50:48 +0000 (UTC) Received: from omta06.emeryville.ca.mail.comcast.net ([76.96.30.51]) by qmta05.emeryville.ca.mail.comcast.net with comcast id 1ni51f00516AWCUA5nqo86; Thu, 02 Sep 2010 11:50:48 +0000 Received: from koitsu.dyndns.org ([98.248.41.155]) by omta06.emeryville.ca.mail.comcast.net with comcast id 1nqn1f0093LrwQ28Snqn7i; Thu, 02 Sep 2010 11:50:48 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 83B0D9B425; Thu, 2 Sep 2010 04:50:47 -0700 (PDT) Date: Thu, 2 Sep 2010 04:50:47 -0700 From: Jeremy Chadwick To: Jan Henrik Sylvester Message-ID: <20100902115047.GA37856@icarus.home.lan> References: <4C7E803F.1090606@janh.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C7E803F.1090606@janh.de> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: stable-list freebsd Subject: Re: GSSAPI (for OpenLDAP) on FreeBSD 8? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2010 11:50:50 -0000 On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote: > I have got problems with GSSAPI authentication to OpenLDAP: > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) > error (80) > additional info: SASL(-1): generic failure: GSSAPI Error: > No credentials were supplied, or the credentials were unavailable or > inaccessible. (unknown mech-code 0 for mech unknown) > > There were at least two discussions, multiple bug reports, and > patches about broken GSSAPI on FreeBSD 8, the longest (I found) > starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html > > After reading through these discussions, I do not know what the > proper fix is -- I would like to change as little as possible > introducing SASL authentication to a (production) OpenLDAP server. > > I have got: An i386 kerberos server, a ldap server in a jail on > i386, some amd64 clients -- all running 8.1-RELEASE. Eventually > there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too. > > What do I need to "fix"? Just the ldap server? Is it enough to > change the jail or does the host needs to be patches, too? Or do I > need to fix the client, too? The kerberos server? > > From the discussion, multiple fixes were possible. Patching > libgssapi and reinstalling everything depending on it (what?), > installing the heimdal-1.0 port (while FreeBSD 8 comes with > heimdal-1.1), installing an unofficial heimdal-1.2 port, ... > > Is that correct? Anything new after the discussion in July? > > From the discussion, some patches should already be in 8-STABLE, but > I could not find the revision (after 8.1-RELEASE). > > If I upgraded the ldap jail to 8-STABLE, I guess the host needs to > be updated, too. Hence I would prefer to just change ports or update > single libraries. > > Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the > libgssapi patch? With the heimdal-1.2 port? Can you please try the patch I proposed and see if it improves your situation? Thanks. http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |