<br><br><div class="gmail_quote">2010/10/4 Matt Carey <span dir="ltr"><<a href="mailto:cvstealth2000@yahoo.com">cvstealth2000@yahoo.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div style="font-family: times new roman,new york,times,serif; font-size: 8pt;"><div>Andrey,<br><br>Thanks for the reply. I do see the ldap/<a href="http://station1.example.com" target="_blank">station1.example.com</a> ticket show up on the user end and I see the KDC issuing the ticket to the client, but I still get the SASL authentication failures. The one thing I see in the klist output is that the ldap ticket entry doesn't have the Kerberos REALM on it. Do you see that behavior as well in your implementation?<br>
<br>Client side:<br>[mcarey@station1 ~]$ kinit mcarey<div class="im"><br>Password for <a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>: <br></div>[mcarey@station1 ~]$ klist -e<div class="im">
<br>Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20<br>Default principal: <a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a><br><br>Valid starting Expires Service principal<br>
</div>10/04/10 12:35:49 10/04/10 19:15:49
krbtgt/<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br> Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 <br>
<div class="im"><br><br>Kerberos 4 ticket cache: /tmp/tkt5000<br>klist: You have no tickets cached<br></div>[mcarey@station1 ~]$ /usr/bin/ldap -Y GSSAPI -h <a href="http://station1.example.com" target="_blank">station1.example.com</a> -b "dc=example,dc=com" "(cn=*)"<br>
-bash: /usr/bin/ldap: No such file or directory<br>[mcarey@station1 ~]$ /usr/bin/ldapsearch -Y GSSAPI -h <a href="http://station1.example.com" target="_blank">station1.example.com</a> -b "dc=example,dc=com" "(cn=*)"<div class="im">
<br>SASL/GSSAPI authentication started<br>ldap_sasl_interactive_bind_s: Invalid credentials (49)<br> additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br></div>[mcarey@station1 ~]$ klist -e<div class="im">
<br>Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20<br>Default principal: <a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a><br><br>Valid starting
Expires Service principal<br></div>10/04/10 12:35:49 10/04/10 19:15:49 krbtgt/<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 <br>10/04/10 12:37:48 10/04/10 19:15:49 ldap/<a href="http://station1.example.com" target="_blank">station1.example.com</a>@<br>
</div></div></div></blockquote><div>It's strange you dont' have the REALM part of theldap/<a href="http://station1.example.com">station1.example.com</a> princinpal... So it won't be mapped by your "nsSaslMapRegexString: (.*)@<a rel="nofollow" href="http://statation1.example.com/" target="_blank">STATATION1.EXAMPLE.COM". </a>Verify that the server will be able to decrypt the data with its keytab :<br>
kdestroy<br>kinit -k -t /etc/dirsrv/ds.keytab ' ldap/<a href="http://station1.example.com/" target="_blank">station1.example.com</a>@<a href="http://station1.example.com/" target="_blank">STATION1.EXAMPLE.COM</a>'<br>
klist -e<br><br><br>I think you should also correct your mapping part. The default settings should be ok. And if you make your own mapping you should follow the same syntax of the default entries, that is you should escape the parentheses \(, it applies in particular to your "Station1 Kerberos Mapping" where nsSaslMapRegexString should be like \(.*\)@<a rel="nofollow" href="http://statation1.example.com/" target="_blank">STATATION1.EXAMPLE.COM</a><br>
<br>If these verification are ok it means that either the server cannot correctly read the keytab or you don't have a user with uid=mcarey in your LDAP tree. To see more details in the access log you may switch on the logging of internal server searches : add 4 to the current value of nsslapd-accesslog-level attribute of cn=config, it should give something like<br>
nsslapd-accesslog-level: 260<br><br>With internal searches logging enable you will see what exactly and how the server searches when it tries to map the principal to the entry<br><br> @+<br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div style="font-family: times new roman,new york,times,serif; font-size: 8pt;"><div><div class="im"><br>Kerberos 4 ticket cache: /tmp/tkt5000<br>klist: You have no tickets cached<br><br><br></div>KDC/DS side:<br># tail -n0 -f /var/log/krb5kdc.log <br>
Oct 04 12:39:06 <a href="http://station1.example.com" target="_blank">station1.example.com</a> krb5kdc[7514](info): AS_REQ (7 etypes {16 1 11 10 15 12 13}) <a href="http://10.100.0.45" target="_blank">10.100.0.45</a>: ISSUE: authtime 1286210346, etypes {rep=16 tkt=16 ses=16}, <a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a> for krbtgt/<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
Oct 04 12:39:55 <a href="http://station1.example.com" target="_blank">station1.example.com</a> krb5kdc[7514](info): TGS_REQ
(2 etypes {16 1}) <a href="http://10.100.0.45" target="_blank">10.100.0.45</a>: ISSUE: authtime 1286210346, etypes {rep=16 tkt=16 ses=16}, <a href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a> for ldap/<a href="http://station1.example.com" target="_blank">station1.example.com</a>@<a href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
#<br><br>DS access log entries:<br>[04/Oct/2010:12:39:55 -0400] conn=8 fd=64 slot=64 connection from 10.100.0.45 to 10.100.0.45<br>[04/Oct/2010:12:39:55 -0400] conn=8 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI<br>
[04/Oct/2010:12:39:55 -0400] conn=8 op=0 RESULT err=49 tag=97 nentries=0 etime=0<br>[04/Oct/2010:12:39:55 -0400] conn=8 op=-1 fd=64 closed - B1<br><br>--Matt<br></div><div style="font-family: times new roman,new york,times,serif; font-size: 8pt;">
<br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Andrey Ivanov <<a href="mailto:andrey.ivanov@polytechnique.fr" target="_blank">andrey.ivanov@polytechnique.fr</a>><br>
<b><span style="font-weight: bold;">To:</span></b> General discussion list for the 389
Directory server project. <<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>><br><b><span style="font-weight: bold;">Sent:</span></b> Mon, October 4, 2010 12:30:43 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b> Re: [389-users] GSSAPI authentication to Directory Server<br></font><div><div></div><div class="h5"><br>
Hi,<br><br>Try<br><br>kinit username<br><mdp><br>klist -e<br><br>/usr/bin/ldapsearch -Y GSSAPI -h <a rel="nofollow" href="http://station1.example.com/" target="_blank">station1.example.com</a> -b "dc=example,dc=com" "(cn=*)"<br>
<br>klist -e<br><you should see the additional ticket ldap/<a rel="nofollow" href="http://station1.example.com" target="_blank">station1.example.com</a>><br>At least, that's how it works in our system<br><br><br>
<div class="gmail_quote">2010/10/4 Matt Carey <span dir="ltr"><<a rel="nofollow" href="mailto:cvstealth2000@yahoo.com" target="_blank">cvstealth2000@yahoo.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div style="font-family: times new roman,new york,times,serif; font-size: 8pt;"><div><span><span>I'm trying to follow the Kerberos howto guide at <a href="http://directory.fedoraproject.org/wiki/Howto:Kerberos" target="_blank">http://directory.fedoraproject.org/wiki/Howto:Kerberos</a> but am having an issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:</span></span><br>
$ /usr/lib/mozldap/ldapsearch -h <a rel="nofollow" href="http://station1.example.com" target="_blank">station1.example.com</a> -p 389 -o mech=GSSAPI -o authid="<a rel="nofollow" href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>" -o authzid="<a rel="nofollow" href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>" -b "dc=example,dc=com" "(cn=*)"<br>
Bind Error: Invalid credentials<br>Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br><br>Attempt with OpenLDAP client:<br>$ /usr/bin/ldapsearch -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://<a rel="nofollow" href="http://station1.example.com" target="_blank">station1.example.com</a> -b "dc=example,dc=com"
"(cn=*)"<br>SASL/GSSAPI authentication started<br>ldap_sasl_interactive_bind_s: Invalid credentials (49)<br> additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context<br><br>
<br>Resulting in the following entries in the access log on the DS:<br># tail -5 access<br>[04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45 to 10.100.0.45<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI<br>
[04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0 etime=0<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND<br>[04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1<br><br><br>From what I can tell the Kerberos infrastructure and OS components are setup accordingly:<br>
GSSAPI is a viable SASL mechanism: <br>$ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base "(objectClass=*)" supportedSASLMechanisms<br>version:
1<br>dn:<br>supportedSASLMechanisms: EXTERNAL<br>supportedSASLMechanisms: DIGEST-MD5<br>supportedSASLMechanisms: GSSAPI<br>supportedSASLMechanisms: LOGIN<br>supportedSASLMechanisms: CRAM-MD5<br>supportedSASLMechanisms: ANONYMOUS<br>
supportedSASLMechanisms: PLAIN<br><br>Directory Server keytab and contents:<br># grep "nsslapd-localuser" dse.ldif<br>nsslapd-localuser: nobody<br># ls -la ds.keytab <br>-rw------- 1 nobody nobody 172 Oct 3 13:21 ds.keytab<br>
# ktutil<br>ktutil: rkt ./ds.keytab<br>ktutil: l<br>slot KVNO Principal<br>---- ---- ---------------------------------------------------------------------<br> 1 3 ldap/<a rel="nofollow" href="http://station1.example.com" target="_blank">station1.example.com</a>@<a rel="nofollow" href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
2 3 ldap/<a rel="nofollow" href="http://station1.example.com" target="_blank">station1.example.com</a>@<a rel="nofollow" href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br># grep KRB /etc/sysconfig/dirsrv<br>
KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME<br>
<br>SASL maps in Directory Server:<br>dn: cn=Kerberos uid
mapping,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: Kerberos uid mapping<br>nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)<br>nsSaslMapBaseDNTemplate: dc=\2,dc=\3<br>nsSaslMapFilterTemplate: (uid=\1)<br>
<br>dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>cn: Station1 Kerberos Mapping<br>nsSaslMapRegexString: (.*)@<a rel="nofollow" href="http://STATATION1.EXAMPLE.COM" target="_blank">STATATION1.EXAMPLE.COM</a><br>
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)<br>nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com<br><br>dn: cn=station1 map,cn=mapping,cn=sasl,cn=config<br>objectClass: top<br>objectClass: nsSaslMapping<br>
cn: example map<br>cn: station1 map<br>nsSaslMapRegexString: \(.*\)<br>nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com<br>nsSaslMapFilterTemplate: (cn=\1)<br><br>Getting a ticket from the KDC:<br>[mcarey@station1 ~]$ kdestroy<br>
[mcarey@station1 ~]$ kinit<br>Password for
<a rel="nofollow" href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a>: <br>[mcarey@station1 ~]$ klist<br>Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20<br>Default principal: <a rel="nofollow" href="mailto:mcarey@STATION1.EXAMPLE.COM" target="_blank">mcarey@STATION1.EXAMPLE.COM</a><br>
Valid starting Expires Service principal<br>10/04/10 10:57:20 10/04/10 17:37:20 krbtgt/<a rel="nofollow" href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a>@<a rel="nofollow" href="http://STATION1.EXAMPLE.COM" target="_blank">STATION1.EXAMPLE.COM</a><br>
Kerberos 4 ticket cache: /tmp/tkt5000<br>klist: You have no tickets cached<br><br>Any help or pointers people have would be greatly appreciated. <br></div>
</div><br>
</div><br>--<br>
389 users mailing list<br>
<a rel="nofollow" href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a rel="nofollow" href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>
</div></div></div></div>
</div><br>
</div><br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>