[Opendj] SaslException(GSS initiate failed)

Jeff Blaine jblaine at kickflop.net
Thu Feb 16 17:22:51 EST 2012 

If anyone has any ideas, I'd love to hear them.  Is the
SaslException(GSS initiate failed) caused by us not having
that super-duper Java security add-on?  Is that always
going to be a requirement?

GSSAPI SASL

         Property               Value(s)
         -------------------------------------------------
     1)  enabled                true
     2)  identity-mapper        Regular Expression
     3)  java-class org.opends.server.extensions.GSSAPISASLMechanismHandler
     4)  kdc-address            The server attempts to ...
     5)  keytab                 /LDAP/opendj/opendj.keytab
     6)  principal-name         The server attempts to ...
     7)  quality-of-protection  none
     8)  realm                  The server attempts to ...
     9)  server-fqdn            The server attempts to ...

Server restart shows:

[16/Feb/2012:17:04:19 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1048797 msg=DIGEST-MD5 SASL mechanism using a server fully 
qualified domain name of: barn.our.org
[16/Feb/2012:17:04:19 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1048795 msg=GSSAPI SASL mechanism using a server fully qualified 
domain name of: barn.our.org
[16/Feb/2012:17:04:19 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1048794 msg=GSSAPI mechanism using a principal name of: 
principal="ldap/barn.our.org
[16/Feb/2012:17:04:19 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1049150 msg=The GSSAPI SASL mechanism handler initialization was 
successful

Keytab contains:

ktutil:  rkt opendj.keytab
ktutil:  l
slot KVNO Principal
---- ---- -----------------------------------------------
    1    5   ldap/rcf-ldap1.our.org at OUR.ORG
    2    5   ldap/rcf-ldap1.our.org at OUR.ORG
    3    5   ldap/rcf-ldap1.our.org at OUR.ORG
    4    5   ldap/rcf-ldap1.our.org at OUR.ORG
    5    6     ldap/barn.our.org at OUR.ORG
    6    6     ldap/barn.our.org at OUR.ORG
    7    6     ldap/barn.our.org at OUR.ORG
    8    6     ldap/barn.our.org at OUR.ORG
ktutil:

Bind error:

[16/Feb/2012:17:16:06 -0500] BIND REQ conn=107 op=0 msgID=1 type=SASL 
mechanism=GSSAPI dn="uid=jblaine,ou=People,dc=our,dc=org"
[16/Feb/2012:17:16:06 -0500] BIND RES conn=107 op=0 msgID=1 result=49 
authFailureID=1310929 authFailureReason="SASL GSSAPI protocol error: 
SaslException(GSS initiate failed)" etime=4

More information about the OpenDJ mailing list