Comment 15 for bug 229252

I applied the fix from hardy-proposed, restarted slapd and apparmor, and I am no longer getting errors from apparmor in /var/log/messages. Accessing slapd using GSSAPI doesn't work, however, because slapd doesn't seem to honor my KRB5_KTNAME variable. I had this working in gutsy, but since upgrade to hardy I can't use GSSAPI. Trying to connect gives the following slapd output:

SASL [conn=1] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied)

I have a keytab file /etc/ldap/slapd.keytab (owned by openldap:openldap, mode 600), and I have KRB5_KTNAME=/etc/ldap/slapd.keytab. This is set in /etc/default/slapd when slapd is started automatically, and I set on the cmd line before running slapd manually. Neither method works. If I make /etc/slapd.keytab world readable, nothing changes. If I make /etc/krb5.keytab world readable, then it complains instead about not finding the principal it wants, so this is definitely where it is looking. Did something change between gutsy and hardy as far as specifying a keytab? I can't find info on this anywhere else.