[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL/GSSAPI not working
I am getting an invalid credentials error when doing an ldapwhoami after
getting a kerberos ticket. Here is my setup:
OpenLDAP 2.2.6 compiled against Heimdal 0.6 with Cyrus-SASL 2.1.18 running
on Red Hat Enterprise Linux AS 3.0
The KDC is MIT Kerberos 1.3.2 also running on RHEL AS 3.0.
I have a principal called digant@KERB.UTA.EDU and principal for my ldap
server (ldap/omicron.kerb.uta.edu@KERB.UTA.EDU). I can use kinit to get
tickets for both (using password for digant and the keytab file for the
ldap/omicron*).
But, when I get a ticket for digant and then use ldapwhoami, I am getting an
error "Invalid credentials (49).
Here are the goodies from my slapd.conf file:
access to dn="" by * read
access to *
by self write
by users read
by anonymous auth
database bdb
suffix "dc=uta,dc=edu"
rootdn "cn=Root,dc=uta,dc=edu"
rootpw {SSHA} (deleted)
sasl-secprops none
sasl-realm "KERB.UTA.EDU"
sasl-host labrador.uta.edu
sasl-regexp uid=(.*),cn=KERB.UTA.EDU,cn=gssapi,cn=auth
ldaps:///uid=$1,cn=people,dc=uta,dc=edu
Here is what "ktutil list" tells me:
FILE:/etc/sysconfig/krb5.keytab:
Vno Type Principal Key
3 des-cbc-crc ldap/omicron.kerb.uta.edu@KERB.UTA.EDU ad80fd80b651496b
This is what the krb5kdc.log shows when I get my tickets:
Mar 23 18:02:22 labrador.uta.edu krb5kdc[11571](info): AS_REQ (6 etypes {16
5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080086542, etypes {rep=3 tkt=1
ses=2}, digant@KERB.UTA.EDU for krbtgt/KERB.UTA.EDU@KERB.UTA.EDU
Mar 23 18:02:26 labrador.uta.edu krb5kdc[11571](info): TGS_REQ (6 etypes {16
5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080086542, etypes {rep=2 tkt=1
ses=2}, digant@KERB.UTA.EDU for ldap/omicron.kerb.uta.edu@KERB.UTA.EDU
This is what "klist -v" tells me when I have got my tickets:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: digant@KERB.UTA.EDU
Cache version: 4
Server: krbtgt/KERB.UTA.EDU@KERB.UTA.EDU
Ticket etype: des-cbc-crc, kvno 1
Session key: des-cbc-md4
Auth time: Mar 23 18:02:22 2004
End time: Mar 24 00:40:47 2004
Ticket flags: initial
Addresses: IPv4:129.107.56.202
Server: ldap/omicron.kerb.uta.edu@KERB.UTA.EDU
Ticket etype: des-cbc-crc, kvno 3
Session key: des-cbc-md4
Auth time: Mar 23 18:02:22 2004
Start time: Mar 23 18:02:26 2004
End time: Mar 24 00:40:47 2004
Ticket flags: transited-policy-checked
Addresses: IPv4:129.107.56.202
And finally, this is my dump from slapd -d -1:
ldap_int_sasl_bind: LOGIN GSSAPI ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5
ldap_int_sasl_open: host=omicron.kerb.uta.edu
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 533 bytes to sd 3
ldap_write: want=533, written=533
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Mar 23 18:03:32 2004
** Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 55 02 01 02 61 50 0a 0U...aP.
ldap_read: want=79, got=79
0000: 01 31 04 00 04 49 53 41 53 4c 28 2d 31 33 29 3a .1...ISASL(-13):
0010: 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 authentication
0020: 66 61 69 6c 75 72 65 3a 20 47 53 53 41 50 49 20 failure: GSSAPI
0030: 46 61 69 6c 75 72 65 3a 20 67 73 73 5f 61 63 63 Failure: gss_acc
0040: 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 78 74 ept_sec_context
ber_get_next: tag 0x30 len 85 contents:
ber_dump: buf=0x080565a8 ptr=0x080565a8 end=0x080565fd len=85
0000: 02 01 02 61 50 0a 01 31 04 00 04 49 53 41 53 4c ...aP..1...ISASL
0010: 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 69 63 (-13): authentic
0020: 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 47 ation failure: G
0030: 53 53 41 50 49 20 46 61 69 6c 75 72 65 3a 20 67 SSAPI Failure: g
0040: 73 73 5f 61 63 63 65 70 74 5f 73 65 63 5f 63 6f ss_accept_sec_co
0050: 6e 74 65 78 74 ntext
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
0000: 61 50 0a 01 31 04 00 04 49 53 41 53 4c 28 2d 31 aP..1...ISASL(-1
0010: 33 29 3a 20 61 75 74 68 65 6e 74 69 63 61 74 69 3): authenticati
0020: 6f 6e 20 66 61 69 6c 75 72 65 3a 20 47 53 53 41 on failure: GSSA
0030: 50 49 20 46 61 69 6c 75 72 65 3a 20 67 73 73 5f PI Failure: gss_
0040: 61 63 63 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 accept_sec_conte
0050: 78 74 xt
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
0000: 61 50 0a 01 31 04 00 04 49 53 41 53 4c 28 2d 31 aP..1...ISASL(-1
0010: 33 29 3a 20 61 75 74 68 65 6e 74 69 63 61 74 69 3): authenticati
0020: 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 47 ation failure:
G
0030: 53 53 41 50 49 20 46 61 69 6c 75 72 65 3a 20 67 SSAPI Failure: g
0040: 73 73 5f 61 63 63 65 70 74 5f 73 65 63 5f 63 6f ss_accept_sec_co
0050: 6e 74 65 78 74 ntext
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
0000: 61 50 0a 01 31 04 00 04 49 53 41 53 4c 28 2d 31 aP..1...ISASL(-1
0010: 33 29 3a 20 61 75 74 68 65 6e 74 69 63 61 74 69 3): authenticati
0020: 6f 6e 20 66 61 69 6c 75 72 65 3a 20 47 53 53 41 on failure: GSSA
0030: 50 49 20 46 61 69 6c 75 72 65 3a 20 67 73 73 5f PI Failure: gss_
0040: 61 63 63 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 accept_sec_conte
0050: 78 74 xt
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
0000: 61 50 0a 01 31 04 00 04 49 53 41 53 4c 28 2d 31 aP..1...ISASL(-1
0010: 33 29 3a 20 61 75 74 68 65 6e 74 69 63 61 74 69 3): authenticati
0020: 6f 6e 20 66 61 69 6c 75 72 65 3a 20 47 53 53 41 on failure: GSSA
0030: 50 49 20 46 61 69 6c 75 72 65 3a 20 67 73 73 5f PI Failure: gss_
0040: 61 63 63 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 accept_sec_conte
0050: 78 74 xt
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Any ideas?