I'm setting up openLDAP with SASL authentification with kerberos. I got problem with this auth.
First, I get the kerberos ticket with kinit. When I make a klist, the ticket is displayed. So, no problem. But when I try to make ldapwhoami. I got an error :
[hue@sandbox ~]$ kdestroy
[hue@sandbox ~]$ kinit vishnu
Password for [email protected]:
[hue@sandbox ~]$ klist
Ticket cache: _FILE:/tmp/krb5cc_1007
Default principal: [email protected]
Valid starting Expires Service principal
05/29/14 06:42:52 05/29/14 16:42:52 krbtgt/[email protected]
renew until 06/05/14 06:42:48
05/29/14 06:42:57 05/29/14 16:42:52 ldap/[email protected]
renew until 06/05/14 06:42:48
[hue@sandbox ~]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()
I don't know where to search anymore. Please, help me.
I had the same error message with the missing minor code. While searching for people with similar problems I noticed that this usually has something to do with an inaccessible keytab file.
In my case the problem was the group of the /etc/openldap/ldap.keytab file was root instead of ldap. Other possible problems can be a wrong or missing KRB5_KTNAME path in your slapd options file (/etc/sysconfig/ldap on red hat 6)