Tuesday, March 3, 2009

Ubuntu: saslauthd internal error in k5support_verify_tgt

When trying to get LDAP simple bind to work against Kerberos5 with saslauthd, I kept running into the following error:


saslauthd[29808]: auth_krb5: k5support_verify_tgt
saslauthd[29808]: do_auth : auth failure: [user=kvo] [service=ldap] [realm=LOCALREALM] [mech=kerberos5] [reason=saslauthd internal error]


a search for the error only mentioned adding the host principle to the keytab file, which I had done, but I was still getting the error.

It seems saslauthd on ubuntu requires that KRB5_KTNAME is set... even though /etc/krb5.keytab is the default, it still needs the environment variable to be present. (explicitly setting the default keytab in /etc/krb5.conf didnt help either).

So the solution to the problem is to add:


export KRB5_KTNAME=/etc/krb5.conf


to the /etc/default/saslauthd file.

2 comments:

nayr said...

that should be:
export KRB5_KTNAME=/etc/krb5.keytab and not /etc/krb5.conf

Karl Vogel said...

Good catch! That was indeed a typo.