Hi Tom,
I have a SLES 11 system I can test tomorrow. It looks like an option is
not available.
Error: ldap_set_option (option=) failed (Can't contact LDAP server)
Markus
"Tom Tux" <tomtux80_at_gmail.com> wrote in message
news:AANLkTimytN03x2ZOV8aFj4_3plnUQ9feA0iWwWddHddx_at_mail.gmail.com...
> Hi Markus
>
> Here is the output:
> ------------------ snip -----------------------
> proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s
> HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab
> --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server
> dc1.xx.yy --verbose
> -- init_password: Wiping the computer password structure
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-OINkN1
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: proxy-test-01$
> -- try_machine_keytab_princ: Trying to authenticate for
> proxy-test-01$ from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Key table entry not found)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for
> host/proxy-test-01.xx.yy from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for proxy-test-01$
> with password.
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Preauthentication failed)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- finalize_exec: Authenticated using method 4
>
> -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES
> SASL/GSSAPI authentication started
> SASL username: administrator_at_xx.yy
> SASL SSF: 0
> Error: ldap_set_option (option=) failed (Can't contact LDAP server)
> -- ~KRB5Context: Destroying Kerberos Context
> ------------------ snap -----------------------
>
> The computer-account already exists in the ad (joined with "net ads
> join").
> The ktutil gives me no principals back:
>
> proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: l
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> ktutil:
>
>
> Thanks a lot.
> Kind regards
> Tom
>
> 2010/6/29 Markus Moeller <huaraz_at_moeller.plus.com>:
>> Can you post the whole output of msktutil with --verbose please. If
>> msktutil
>> fails with TLS on port 389 it will try again without TLS.
>>
>> Regards
>> Markus
>>
>> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
>> news:AANLkTil1Fhq5Ks3NX8MoSTKIC2qOACz1xpMp6wH6RpkD_at_mail.gmail.com...
>> this works. I'm also able to telnet with tcp 636 (ldaps).
>>
>> I'm just searching for a solution to kerberise squid without the need
>> of winbind/smb.
>>
>>
>> 2010/6/28 Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>:
>>>
>>> They seem ok.
>>>
>>> Telnet to your dc on 389?
>>>
>>>
>>> On 28/06/2010 14:40, "Tom Tux" <tomtux80_at_gmail.com> wrote:
>>>
>>> which ldap-libraries should be installed?
>>> The following devel-packages are installed (SLES11-System):
>>> - openldap2-devel
>>> - cyrus-sasl-devel
>>>
>>>
>>>
>>> 2010/6/28 Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>:
>>>>
>>>> Missing ldap libraries maybe?
>>>>
>>>>
>>>> On 28/06/2010 12:32, "Tom Tux" <tomtux80_at_gmail.com> wrote:
>>>>
>>>> Hi
>>>>
>>>> I'm trying to generate a computer-account with msktutil:
>>>>
>>>> I got the following error:
>>>> ...
>>>> ...
>>>> - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES
>>>> SASL/GSSAPI authentication started
>>>> SASL username: admin_at_DOMAIN.COM
>>>> SASL SSF: 0
>>>> Error: ldap_set_option (option=) failed (Can't contact LDAP server)
>>>> -- ~KRB5Context: Destroying Kerberos Context
>>>>
>>>>
>>>>
>>>> I have a valid ticket (klist), initiated with adminuser_at_DOMAIN.COM.
>>>> Have someone any hints? I see, that the msktutil tries with tls
>>>> (encrypted) on port 389 (ldap) on the domain-controller. Can I use
>>>> native (unencrypted) ldap?
>>>>
>>>> Thanks a lot.
>>>> Tom
>>>>
>>>>
>>>> ** Please consider the environment before printing this e-mail **
>>>>
>>>> The information contained in this e-mail is of a confidential nature
>>>> and
>>>> is intended only for the addressee. If you are not the intended
>>>> addressee,
>>>> any disclosure, copying or distribution by you is prohibited and may be
>>>> unlawful. Disclosure to any party other than the addressee, whether
>>>> inadvertent or otherwise, is not intended to waive privilege or
>>>> confidentiality. Internet communications are not secure and therefore
>>>> Conde
>>>> Nast does not accept legal responsibility for the contents of this
>>>> message.
>>>> Any views or opinions expressed are those of the author.
>>>>
>>>> Company Registration details:
>>>> The Conde Nast Publications Ltd
>>>> Vogue House
>>>> Hanover Square
>>>> London W1S 1JU
>>>>
>>>> Registered in London No. 226900
>>>>
>>>
>>>
>>> The information contained in this e-mail is of a confidential nature and
>>> is intended only for the addressee. If you are not the intended
>>> addressee,
>>> any disclosure, copying or distribution by you is prohibited and may be
>>> unlawful. Disclosure to any party other than the addressee, whether
>>> inadvertent or otherwise, is not intended to waive privilege or
>>> confidentiality. Internet communications are not secure and therefore
>>> Conde
>>> Nast does not accept legal responsibility for the contents of this
>>> message.
>>> Any views or opinions expressed are those of the author.
>>>
>>> The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover
>>> Square,
>>> London W1S 1JU
>>>
>>
>>
>>
>
Received on Tue Jun 29 2010 - 22:40:06 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 30 2010 - 12:00:04 MDT