[Opendj] SaslException(GSS initiate failed)

Jeff Blaine jblaine at kickflop.net
Thu Feb 23 15:46:08 EST 2012 

On 2/23/2012 12:43 PM, Matthew Swift wrote:
> Hi Jeff,
>
> Have you been able to make any progress with this?

Nope.

> I'm sorry I haven't had a chance to investigate it myself and probably
> won't until next week at the earliest.

How dare you not jump to a mailing list members' request
for help!

> Have you tried enabling the debug log? We log SASL exceptions, including
> their stack trace, to the debug log.

Worth a shot.  Will do.

>
> Matt
>
>
> On Fri, Feb 17, 2012 at 9:11 PM, Jeff Blaine <jblaine at kickflop.net
> <mailto:jblaine at kickflop.net>> wrote:
>
>     export
>     OPENDS_JAVA_ARGS="-Djava.util.logging.config.file=/LDAP/opendj/sasl.logging.properties"
>
>     bin/start-ds --nodetach
>
>     GSSAPI startup messages:
>
>     [17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION
>     msgID=1048795 msg=GSSAPI SASL mechanism using a server fully qualified
>     domain name of: barn.our.org <http://barn.our.org>
>     [17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION
>     msgID=1048794 msg=GSSAPI mechanism using a principal name of:
>     principal="ldap/barn.our.org <http://barn.our.org>
>     [17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION
>     msgID=1049150 msg=The GSSAPI SASL mechanism handler initialization was
>     successful
>
>     The query/bind attempt:
>
>     opendj:barnowl> bin/ldapsearch --bindDN
>     "uid=jblaine,ou=People,dc=our,dc=org" --baseDN ou=People,dc=our,dc=org
>     --saslOption mech=GSSAPI --saslOption authid=jblaine at OUR.ORG
>     <mailto:jblaine at OUR.ORG> --hostname
>     barn.our.org <http://barn.our.org> --port 389 uid=jblaine cn
>     Password for user 'uid=jblaine,ou=People,dc=our,dc=org':
>     An error occurred while attempting to perform GSSAPI authentication to
>     the Directory Server:
>     PrivilegedActionException(AccessController.java:-2)
>     Result Code:  82 (Local Error)
>     opendj:barnowl>
>
>     The Kerberos KDC record of the TGS_REQ
>
>     Feb 17 14:56:13 kdc1.our.org <http://kdc1.our.org>
>     krb5kdc[2529](info): TGS_REQ (5 etypes
>     {deleted_for_privacy}) IP_ADDRESS_OF_BARN_HERE: ISSUE: authtime
>     1329508573, etypes {deleted_for_privacy}, jblaine at OUR.ORG
>     <mailto:jblaine at OUR.ORG> for
>     ldap/barn.our.org at OUR.ORG <mailto:barn.our.org at OUR.ORG>
>
>     The terminal output from bin/start-ds --nodetach
>
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     constructor
>     FINE: SASLIMPL01:Preferred qop property: auth
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     constructor
>     FINE: SASLIMPL02:Preferred qop mask: 1
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     constructor
>     FINE: SASLIMPL03:Preferred qops : 1 0 0
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     constructor
>     FINE: SASLIMPL04:Preferred strength property: null
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     constructor
>     FINE: SASLIMPL05:Cipher strengths: 4 2 1
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     <init>
>     FINE: KRB5SRV01:Using service name: ldap at barn.our.org
>     <mailto:ldap at barn.our.org>
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     <init>
>     FINE: KRB5SRV02:Initialization complete
>     Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
>     evaluateResponse
>     FINER: KRB5SRV03:Response [raw]: ( 538 ): 0000: 60 <deleted...>
>
>     Note that "Using service name: ldap at barn.our.org
>     <mailto:ldap at barn.our.org>" seems wrong
>     to me, but what do I know.  I would expect to see the service
>     name as "ldap/barn.our.org at OUR.ORG <mailto:barn.our.org at OUR.ORG>"
>
>     Note, too, which I will submit as a bug report unless you
>     tell me otherwise, that OpenDJ 2.4.3 does not like one
>     mucking with the SASL GSSAPI settings, then reverting
>     them all back to defaults, and trying to 'finish'.
>     This barfs.  I had to disable the SASL GSSAPI mechanism,
>     stop the server, start the server, then re-enable the
>     SASL GSSAPI mechanism, make the changes back to defaults,
>     and 'f'inish worked fine.
>
>     _______________________________________________
>     OpenDJ mailing list
>     OpenDJ at forgerock.org <mailto:OpenDJ at forgerock.org>
>     https://lists.forgerock.org/mailman/listinfo/opendj
>
>
>
>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj

More information about the OpenDJ mailing list