Funny that I came across your post just now. I think that I fixed this problem < 7 minutes ago. As it says, some principal is not present in the kerberos keyfile. Unfortunately I couldn't find the right debug flags that actually told me what it was looking for. Run the following and ensure that you have principals named "ldap" and any other service that may run.
$ sudo kinit
…
$ sudo kadmin.local -q listprincs
I had the necessary princs listed, and the only svc that was actively ‘pinging’ my krb instance was Workgroup Manager (which was in read-only mode, for some reason). I disabled and reenabled the ‘Enable SSL’ and that cleared up the problem. This makes very little sense to me, as the Workgroup Manager would not have been able to complete a connection if there were SSL problems… much less cause slapd to dump that GSSAPI error.
I’ve noticed that many, many issues stem from invalid or expired certs.. it’s just never easy to tell that they are the problem.
If anyone has more info on this issue, I’d be estatic to hear about it. I was fairly methodical in changing one variable at a time, however my conclusion isn’t quite clear.
– eb
Recent Comments