Kerberos/SASSL/OpenLDAP : GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()

Question

I'm setting up openLDAP with SASL authentification with kerberos. I got problem with this auth.

First, I get the kerberos ticket with kinit. When I make a klist, the ticket is displayed. So, no problem. But when I try to make ldapwhoami. I got an error :

[hue@sandbox ~]$ kdestroy

[hue@sandbox ~]$ kinit vishnu
Password for vishnu@MORTO.COM:

[hue@sandbox ~]$ klist
Ticket cache: _FILE:/tmp/krb5cc_1007
Default principal: vishnu@MORTO.COM

Valid starting     Expires            Service principal
05/29/14 06:42:52  05/29/14 16:42:52  krbtgt/MORTO.COM@MORTO.COM
        renew until 06/05/14 06:42:48
05/29/14 06:42:57  05/29/14 16:42:52  ldap/morto.com@MORTO.COM
        renew until 06/05/14 06:42:48

[hue@sandbox ~]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()

I don't know where to search anymore. Please, help me.

Answer 1

I had the same error message with the missing minor code. While searching for people with similar problems I noticed that this usually has something to do with an inaccessible keytab file.

In my case the problem was the group of the /etc/openldap/ldap.keytab file was root instead of ldap. Other possible problems can be a wrong or missing KRB5_KTNAME path in your slapd options file (/etc/sysconfig/ldap on red hat 6)