[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Openldap/Sasl/GSSAPI on Debian: Key table entry not found
- To: openldap-technical@openldap.org
- Subject: Openldap/Sasl/GSSAPI on Debian: Key table entry not found
- From: Toomas Vendelin <toomas.pfx@gmail.com>
- Date: Tue, 17 Jan 2012 21:45:15 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Oad4HIAkFhNKux1SiIcyxn1usdJyRpk0cw9/De5kx68=; b=wKRFemhRWuwkmtfL0vfQ4PxNlaqt7nkGxtL91jz1Jt/S4ZcKNLt+2Uvg0UZRJ85vEp g6Uxv6qaYtViMD4TAqIQqy2Td8vC/S8NJwuEzvnol//188TK7xFeMZUEfB4gm9xcYHaJ 7dA8L/ixpou0QXdoK8N5cW0GKTXfsAeU/FsYs=
The goal: to make an OpenLDAP server to authenticate using Kerberos V via GSSAPI
Setup: several virtual machines running on freshly installed/updated
Debian Squeeze
A master KDC server
kdc.example.com
A LDAP server, running OpenLDAP
ldap.example.com
The problem:
tom@ldap:~$ ldapsearch -b 'dc=example,dc=com'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Key
table entry not found)
One might suggest to add that keytab entry, but:
ktutil: rkt /etc/ldap/ldap.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ldap/ldap.example.com@EXAMPLE.COM
2 2 ldap/ldap.example.com@EXAMPLE.COM
3 2 ldap/ldap.example.com@EXAMPLE.COM
4 2 ldap/ldap.example.com@EXAMPLE.COM
So, the entry as suggested by the OpenLDAP manual is there allright.
Deleting and re-creating both service principal and the keytab on
ldap.example.com didn't help, I get the same error. And before I make
the keytab file readable by openldap, I get "Permission denied" error
instead of the one in the subject. Which implies that the right keytab
file is being accessed, as set in /etc/default/slapd.
I have my doubts about the following part of slapd config:
root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#"
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11
olcSaslHost: kdc.example.com
olcSaslRealm: EXAMPLE.COM
olcSaslSecProps: noplain,noactive,noanonymous,minssf=56
olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth"
"uid=$1,ou=People,dc=example,dc=com"
olcAuthzRegexp:
{1}"uid=host/([^/]*).example.com,cn=example.com,cn=gssapi,cn=auth"
"cn=$1,ou=hosts,dc=example,dc=com"
A HOWTO at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication
mentiones:
Also, it is frequently necessary to map the Distinguished Name
(DN) of an authorized Kerberos client to an existing entry in the DIT.
I fail to understand where in the tree this should be defined, what
schema should be used, etc. After hours of googling, it's official:
I'm stuck! Please, help.
Other things checked: Kerberos as such works fine (I can ssh without
using a password to any machine in this setup). That means there
should be no DNS-related problems.
ldapsearch -b 'dc=example,dc=com' -x
works OK.
SASL/GSSAPI has been tested using
sasl-sample-server -m GSSAPI -s ldap
and
sasl-sample-client -s ldap -n ldap.example.com -u tom
without errors:
root@ldap:~# sasl-sample-server -m GSSAPI -s ldap
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIPgot
'GSSAPI'
Sending response...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cR
Waiting for client reply...
C: got ''
Sending response...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=
Waiting for client reply...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=got '?'
Negotiation complete
Username: tom
Realm: (NULL)
SSF: 56
sending encrypted message 'srv message 1'
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazx
Waiting for encrypted message...
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpcztgot
''
recieved decoded message 'client message 1'
root@ldap:~# sasl-sample-client -s ldap -n ldap.example.com -u tom
service=ldap
Waiting for mechanism list from server...
S: R1NTQVBJrecieved 6 byte message
Choosing best mechanism from: GSSAPI
returning OK: tom
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIP
Waiting for server reply...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cRrecieved
156 byte message
C:
Waiting for server reply...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=recieved 32 byte message
Sending response...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=
Negotiation complete
Username: tom
SSF: 56
Waiting for encoded message...
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazxrecieved
78 byte message
recieved decoded message 'srv message 1'
sending encrypted message 'client message 1'
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpczt