Skip to main content

Debugging kerberos

Heimdal might behind MIT's implementation for certain things, but it surely is way nicer to debug. With MIT I kept getting:

ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name) _ which means the correct principal can't be found in the keytab. I checked and doublechecked and _ldap/kdc.int.test was actually there. I had to GDB the damn thing to find out that no matter what, it was looking for ldap/localhost.localdomain. (Silly me and leaving the wrong hostname). And using ltrace wasn't working because SASL dlopens the gssapi plugin. Enter Heimdal, recompiled cyrus-sasl2 against heimdal's gssapi implementation, retried and you actually get useful error messages:

ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (failed to find ldap/localhost.localdomain@INT.TEST in keytab /etc/krb5.keytab (null))

Also stumbled into #400955 and #382458 while setting things up.