Kerberos/SASSL/OpenLDAP : GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()

Voulzy picture Voulzy · May 29, 2014 · Viewed 39.6k times · Source

I'm setting up openLDAP with SASL authentification with kerberos. I got problem with this auth.

First, I get the kerberos ticket with kinit. When I make a klist, the ticket is displayed. So, no problem. But when I try to make ldapwhoami. I got an error :

[hue@sandbox ~]$ kdestroy

[hue@sandbox ~]$ kinit vishnu
Password for [email protected]:

[hue@sandbox ~]$ klist
Ticket cache: _FILE:/tmp/krb5cc_1007
Default principal: [email protected]

Valid starting     Expires            Service principal
05/29/14 06:42:52  05/29/14 16:42:52  krbtgt/[email protected]
        renew until 06/05/14 06:42:48
05/29/14 06:42:57  05/29/14 16:42:52  ldap/[email protected]
        renew until 06/05/14 06:42:48

[hue@sandbox ~]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()

I don't know where to search anymore. Please, help me.

Answer

BeeJee picture BeeJee · Jun 3, 2014

I had the same error message with the missing minor code. While searching for people with similar problems I noticed that this usually has something to do with an inaccessible keytab file.

In my case the problem was the group of the /etc/openldap/ldap.keytab file was root instead of ldap. Other possible problems can be a wrong or missing KRB5_KTNAME path in your slapd options file (/etc/sysconfig/ldap on red hat 6)