Quoting "Pallissard, Matthew" <k...@pallissard.net>: > Is it slapd reading its key tab incorrectly or is the hostname being > derived incorrectly. Is this a host file issue?
IMO, this is slapd not reading its key table, as the host file does not give information about the Kerberos principal needed for authentication. I started out using a separate keytab file like on the other systems, using this line in /etc/default/slapd: export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab It's important to ensure that the openldap group has read access to it. I've also tried using the default keytab file instead, applying the same group access, but slapd continues to attempt to authenticate with 'ldap/localh...@example.com'. Furthermore, /etc/hostname is fine, 'hostnamectl status' checks out okay, there's nothing funny in /etc/hosts and the DNS forward and reverse records are consistent. So, this looks like a bug to me, but in what part of the software: Kerberos, slapd, or some library, like libsasl2-modules-gssapi-mit? I'm leaning towards the latter. Cheers, Jaap ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
