[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd + gssapi/heimdal: using false realm in principal
- To: openldap-technical@openldap.org
- Subject: slapd + gssapi/heimdal: using false realm in principal
- From: Friedemann Stoyan <fstoyan@swapon.de>
- Date: Wed, 29 Apr 2009 10:09:24 +0200
- Content-disposition: inline
- User-agent: Mutt/1.5.18 (2008-05-17)
Hello,
I struggle with an Debian GNU/Linux (Lenny) and
* slapd 2.4.11-1
* heimdal-kdc 1.2.dfsg.1-2.1
* libsasl2-modules-gssapi-heimdal 2.1.22.dfsg1-23
With this configuration:
/etc/ldap/slapd.conf:
# Kerberos Configuration
sasl-host kerberos.lab.swapon.de
sasl-realm LAB.SWAPON.DE
# Mapping Kerberos Authentication Identities
authz-regexp
uid=([^,]*),cn=lab.swapon.de,cn=gssapi,cn=auth
ldap:///ou=people,dc=lab,dc=swapon,dc=de??one?(&(uid=$1)(objectClass=person))
/etc/ldap/sasl2/slapd.conf:
mech_list: GSSAPI
log_level: 7
Then I get a kerberos ticket and start ldapsaerch:
$ ldapsearch -H ldaps://ldap.lab.swapon.de/
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
The slapd logfile isn't very helpfull:
slapd[11480]: conn=2 fd=14 ACCEPT from IP=[2001:6f8:12ec:11::389:fefe]:60487 (IP=[2001:6f8:12ec:11::389:fefe]:636)
slapd[11480]: conn=2 fd=14 TLS established tls_ssf=128 ssf=128
slapd[11480]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
slapd[11480]: conn=2 op=0 SRCH attr=supportedSASLMechanisms
slapd[11480]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[11480]: conn=2 op=1 BIND dn="" method=163
slapd[11480]: SASL [conn=2] Failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
slapd[11480]: conn=2 op=1 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
slapd[11480]: conn=2 fd=14 closed (connection lost)
The KDCs logfile is more interesting:
Authentication Server Request from slapd (successfull):
14:37:13 AS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB.SWAPON.DE@LAB.SWAPON.DE
14:37:13 Client sent patypes: encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp
14:37:13 Looking for PKINIT pa-data -- host/reliant.lab.swapon.de@LAB.SWAPON.DE
14:37:13 Looking for ENC-TS pa-data -- host/reliant.lab.swapon.de@LAB.SWAPON.DE
14:37:13 ENC-TS Pre-authentication succeeded -- host/reliant.lab.swapon.de@LAB.SWAPON.DE using aes256-cts-hmac-sha1-96
14:37:13 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
14:37:13 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
14:37:13 AS-REQ authtime: 2009-04-27T14:37:13 starttime: unset endtime: 2009-04-28T00:37:13 renew till: unset
14:37:13 sending 670 bytes to IPv6:2001:6f8:12ec:11::88:fefe
Ticket Granting Server Request from slapd (fails):
14:37:13 TGS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for digest/LAB@LAB.SWAPON.DE [canonicalize]
14:37:13 Searching referral for LAB
14:37:13 Server not found in database: digest/LAB@LAB.SWAPON.DE: No such entry in the database
14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 TGS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB@LAB.SWAPON.DE
14:37:13 Server not found in database: krbtgt/LAB@LAB.SWAPON.DE: No such entry in the database
14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe
It's clear that this TGS-REQ is failing: the realm "LAB" in the principal
"krbtgt/LAB@LAB.SWAPON.DE" doesn't exist. Correct would be:
"krbtgt/LAB.SWAPON.DE@LAB.SWAPON.DE".
At present I have no clue how to fix this. Good ideas would be
appreciated.
Regards
Friedemann