roehmdo1 Absent Member.
Absent Member.
952 views

How to remove GSSAPI (kerberos) from supported mechanisms

We are having issue authenticating macintosh clients to edirectory periodically.. Opened a ticket with apple and they said I should remove GSSAPI from the supported mechanisms being published by the rootdse on a ldap seatch.. Here is their suggestion:


Thanks for contacting us about case number 100596892609, LDAP issues.
Here’s the current status of your case:
ISSUE: Unable to login to some clients using open directory credentials following deployment. STATUS: Failed logins are the result of a failure to build a Kerberos credential cache. Since the server does not support Kerberos, recommended building out the LDAP rootDSE to specify supportedSASLMechanisms. rootDSE is returned by ldapsearch, packet capture shows successful retrieval of rootDSE during login but the GSSAPI mechanism is unexpectedly listed. Recommend removing GSSAPI from the supported mechanisms list as kerberos is not supported by the directory.

any idea how to remove GSSAPI from the supported mechanisms ??

thanks in advance
Doug
Labels (2)
0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: How to remove GSSAPI (kerberos) from supported mechanisms

On 06/08/18 16:24, roehmdo wrote:

> We are having issue authenticating macintosh clients to edirectory
> periodically.. Opened a ticket with apple and they said I should remove
> GSSAPI from the supported mechanisms being published by the rootdse on a
> ldap seatch.. Here is their suggestion:
>
>
> Thanks for contacting us about case number 100596892609, LDAP issues.
> Here�s the current status of your case:
> ISSUE: Unable to login to some clients using open directory credentials
> following deployment. STATUS: Failed logins are the result of a failure
> to build a Kerberos credential cache. Since the server does not support
> Kerberos, recommended building out the LDAP rootDSE to specify
> supportedSASLMechanisms. rootDSE is returned by ldapsearch, packet
> capture shows successful retrieval of rootDSE during login but the
> GSSAPI mechanism is unexpectedly listed. Recommend removing GSSAPI from
> the supported mechanisms list as kerberos is not supported by the
> directory.
>
> any idea how to remove GSSAPI from the supported mechanisms ??


Since you have posted in an OES Linux forum this is eDirectory running
on OES? Which version of OES?

Also by "authenticating" do you mean via LDAP or is Kanaka involved?

Finally which version(s) of Mac OS X are involved?

HTH.
--
Simon
Micro Focus Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------
0 Likes
roehmdo1 Absent Member.
Absent Member.

Re: How to remove GSSAPI (kerberos) from supported mechanism

Sorry
Running on OES2015

authenticating via ldap

mac os version (high Sierra)
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to remove GSSAPI (kerberos) from supported mechanisms

On 06/08/18 17:14, roehmdo wrote:

> Sorry
> Running on OES2015
>
> authenticating via ldap
>
> mac os version (high Sierra)


It's been a few years since I was authenticating Macs against eDirectory
and things have obviously changed since then, some for the better!

Finding http://pig.made-it.com/ldap-mac.html what does the following
report when run on the OES server?


$ ldapsearch -x -h localhost -D "cn=manager,dc=example,dc=com" -W -b ''
-s base -LLL "(objectclass=*)" supportedSASLMechanisms


Obviously change cn=manager,dc=example,dc=com to fit your setup.

HTH.
--
Simon
Micro Focus Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------
0 Likes
Highlighted
roehmdo1 Absent Member.
Absent Member.

Re: How to remove GSSAPI (kerberos) from supported mechanism

supportedSASLMechanisms = NMAS_LOGIN
supportedSASLMechanisms = EXTERNAL
supportedSASLMechanisms = DIGEST-MD5
supportedSASLMechanisms = GSSAPI
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to remove GSSAPI (kerberos) from supported mechanism

roehmdo;2485339 wrote:
supportedSASLMechanisms = NMAS_LOGIN
supportedSASLMechanisms = EXTERNAL
supportedSASLMechanisms = DIGEST-MD5
supportedSASLMechanisms = GSSAPI


Maybe this: https://www.netiq.com/documentation/edir88/nmas88/data/a49tv39.html

Thomas
0 Likes
roehmdo1 Absent Member.
Absent Member.

Re: How to remove GSSAPI (kerberos) from supported mechanism

Yes
I saw that but was concerned if I delete it and need it back how to re-install it.. Found the zip file on the server to re-add the method.. And yes, I deleted the method and all is fine now
Thanks for your help
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.