How to remove GSSAPI (kerberos) from supported mechanisms

We are having issue authenticating macintosh clients to edirectory periodically.. Opened a ticket with apple and they said I should remove GSSAPI from the supported mechanisms being published by the rootdse on a ldap seatch.. Here is their suggestion:


Thanks for contacting us about case number 100596892609, LDAP issues.
Here’s the current status of your case:
ISSUE: Unable to login to some clients using open directory credentials following deployment. STATUS: Failed logins are the result of a failure to build a Kerberos credential cache. Since the server does not support Kerberos, recommended building out the LDAP rootDSE to specify supportedSASLMechanisms. rootDSE is returned by ldapsearch, packet capture shows successful retrieval of rootDSE during login but the GSSAPI mechanism is unexpectedly listed. Recommend removing GSSAPI from the supported mechanisms list as kerberos is not supported by the directory.

any idea how to remove GSSAPI from the supported mechanisms ??

thanks in advance
Doug
Parents
  • On 06/08/18 16:24, roehmdo wrote:

    > We are having issue authenticating macintosh clients to edirectory
    > periodically.. Opened a ticket with apple and they said I should remove
    > GSSAPI from the supported mechanisms being published by the rootdse on a
    > ldap seatch.. Here is their suggestion:
    >
    >
    > Thanks for contacting us about case number 100596892609, LDAP issues.
    > Here�s the current status of your case:
    > ISSUE: Unable to login to some clients using open directory credentials
    > following deployment. STATUS: Failed logins are the result of a failure
    > to build a Kerberos credential cache. Since the server does not support
    > Kerberos, recommended building out the LDAP rootDSE to specify
    > supportedSASLMechanisms. rootDSE is returned by ldapsearch, packet
    > capture shows successful retrieval of rootDSE during login but the
    > GSSAPI mechanism is unexpectedly listed. Recommend removing GSSAPI from
    > the supported mechanisms list as kerberos is not supported by the
    > directory.
    >
    > any idea how to remove GSSAPI from the supported mechanisms ??


    Since you have posted in an OES Linux forum this is eDirectory running
    on OES? Which version of OES?

    Also by "authenticating" do you mean via LDAP or is Kanaka involved?

    Finally which version(s) of Mac OS X are involved?

    HTH.
    --
    Simon
    Micro Focus Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------
Reply
  • On 06/08/18 16:24, roehmdo wrote:

    > We are having issue authenticating macintosh clients to edirectory
    > periodically.. Opened a ticket with apple and they said I should remove
    > GSSAPI from the supported mechanisms being published by the rootdse on a
    > ldap seatch.. Here is their suggestion:
    >
    >
    > Thanks for contacting us about case number 100596892609, LDAP issues.
    > Here�s the current status of your case:
    > ISSUE: Unable to login to some clients using open directory credentials
    > following deployment. STATUS: Failed logins are the result of a failure
    > to build a Kerberos credential cache. Since the server does not support
    > Kerberos, recommended building out the LDAP rootDSE to specify
    > supportedSASLMechanisms. rootDSE is returned by ldapsearch, packet
    > capture shows successful retrieval of rootDSE during login but the
    > GSSAPI mechanism is unexpectedly listed. Recommend removing GSSAPI from
    > the supported mechanisms list as kerberos is not supported by the
    > directory.
    >
    > any idea how to remove GSSAPI from the supported mechanisms ??


    Since you have posted in an OES Linux forum this is eDirectory running
    on OES? Which version of OES?

    Also by "authenticating" do you mean via LDAP or is Kanaka involved?

    Finally which version(s) of Mac OS X are involved?

    HTH.
    --
    Simon
    Micro Focus Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------
Children