[Bug 229252] Re: [SRU]slapd gssapi failure - apparmor profile doesn't support kerberos gssapi

[jplien]

I applied the fix from hardy-proposed, restarted slapd and apparmor, and
I am no longer getting errors from apparmor in /var/log/messages.
Accessing slapd using GSSAPI doesn't work, however, because slapd
doesn't seem to honor my KRB5_KTNAME variable.  I had this working in
gutsy, but since upgrade to hardy I can't use GSSAPI.  Trying to connect
gives the following slapd output:

SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure.  Minor
code may provide more information (Permission denied)

I have a keytab file /etc/ldap/slapd.keytab (owned by openldap:openldap,
mode 600), and I have KRB5_KTNAME=/etc/ldap/slapd.keytab.  This is set
in /etc/default/slapd when slapd is started automatically, and I set on
the cmd line before running slapd manually.  Neither method works.  If I
make /etc/slapd.keytab world readable, nothing changes.  If I make
/etc/krb5.keytab world readable, then it complains instead about not
finding the principal it wants, so this is definitely where it is
looking.  Did something change between gutsy and hardy as far as
specifying a keytab?  I can't find info on this anywhere else.

-- 
[SRU]slapd gssapi failure - apparmor profile doesn't support kerberos gssapi
https://bugs.launchpad.net/bugs/229252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.