From owner-freebsd-questions@FreeBSD.ORG Wed Aug 25 19:47:19 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE3781065673 for ; Wed, 25 Aug 2010 19:47:19 +0000 (UTC) (envelope-from elon@emmi.physik-pool.tu-berlin.de) Received: from emmi.physik-pool.tu-berlin.de (emmi.physik-pool.tu-berlin.de [130.149.58.146]) by mx1.freebsd.org (Postfix) with ESMTP id 633948FC18 for ; Wed, 25 Aug 2010 19:47:18 +0000 (UTC) Received: from emmi.physik-pool.tu-berlin.de (localhost.physik-pool.tu-berlin.de [127.0.0.1]) by emmi.physik-pool.tu-berlin.de (8.14.4/8.14.4) with ESMTP id o7PJlH5s067929; Wed, 25 Aug 2010 21:47:17 +0200 (CEST) (envelope-from elon@emmi.physik-pool.tu-berlin.de) Received: (from elon@localhost) by emmi.physik-pool.tu-berlin.de (8.14.4/8.14.4/Submit) id o7PJlH5L067928; Wed, 25 Aug 2010 21:47:17 +0200 (CEST) (envelope-from elon) Date: Wed, 25 Aug 2010 21:47:17 +0200 From: Leon =?iso-8859-15?Q?Me=DFner?= To: Reko Turja Message-ID: <20100825194717.GB51165@emmi.physik-pool.tu-berlin.de> References: <20100825160404.GF3762@emmi.physik-pool.tu-berlin.de> <1DA6D3678D2745999DA4F00266376495@rivendell> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1DA6D3678D2745999DA4F00266376495@rivendell> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: =?iso-8859-15?Q?LeonMe=DFner?= , freebsd-questions@freebsd.org Subject: Re: openldap-sasl fails after 8.1 upgrade X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2010 19:47:19 -0000 On Wed, Aug 25, 2010 at 10:34:27PM +0300, Reko Turja wrote: > Sadly the GSSAPI/Kerberos has been broken in 8.x for a good while now. > You can either install the heimdal or MIT port, although getting that > to work in stead of the base can be messy. > > kern/147454 PR actually has a working fix, although I'm not sure if it > applies cleanly as it's pretty big - I managed to get working GSSAPI > with it on 8.1 PRERELEASE. I'll try that. > See also discussion at > http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html Following the link in the other thread to http://lists.freebsd.org/pipermail/freebsd-stable/2010-February/055017.html i made the changes to /usr/bin/krb5-config: # diff /usr/bin/krb5-config /usr/bin/krb5-config.org 96c96 < lib_flags="$lib_flags -lgssapi -lgssapi_spnego -lgssapi_krb5 -lheimntlm" --- > lib_flags="$lib_flags -lgssapi -lheimntlm" After that, rebuilding openldap+dependencies makes it work again. I suppose this is quite dirty and i have to see if it introduces other problems. Thanks, leon > > -------------------------------------------------- > From: "LeonMeßner" > Sent: Wednesday, August 25, 2010 7:04 PM > To: > Subject: openldap-sasl fails after 8.1 upgrade > > > Hi, > > > > after binary upgrading to freebsd8.1 from 7.2 i encounter an error > > with openldap24, cyrus-sasl2 and kerberos: > > > > # ldapsearch uid=whatever > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) > > error (80) > > additional info: SASL(-1): generic failure: GSSAPI Error: No > > credentials were supplied, or the credentials were unavailable or > > inaccessible. (unknown mech-code 0 for mech unknown) > > > > Simple binding to the ldap server does work. The KDC behind this is > > still on kerberos 0.6.3 (FreeBSD7.3) and there have been reported > > Problems with such a setup, but as i can login through ssh and > > kerberos > > i suppose these [1] don't apply here (also already tested the > > proposed > > changes). > > > > If anybody got any insight please share. > > > > Thanks in Advance, > > Leon > > > > [1] > > http://lists.freebsd.org/pipermail/freebsd-stable/2009-October/052217.html > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"