FDS, Kerberos, SASL confusion

hintermayer.johannes at afb.de (Hintermayer Johannes) · Thu, 26 Jul 2007 08:44:24 +0200

Hi Marty and Rob,

thanks for your answers.

The FDS user indeed wasn't able to access /etc/krb5.keytab. After I
changed that, the error message changed to:

[root at vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v 
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-14): authorization failure: 

My klist is as follows:

[root at vafbds01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bsmith at AFB.LAN

Valid starting     Expires            Service principal
07/26/07 08:35:05  07/27/07 08:33:33  krbtgt/AFB.LAN at AFB.LAN

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

After that it changes to 

[root at vafbds01 tmp]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bsmith at AFB.LAN

Valid starting     Expires            Service principal
07/26/07 08:41:36  07/27/07 08:39:33  krbtgt/AFB.LAN at AFB.LAN
07/26/07 08:41:40  07/27/07 08:39:33  ldap/vafbds01.afb.lan at AFB.LAN

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

So, at least I do get a ticket for ldap.

When I run "kinit bsmith" I get the following log message on my Kerberos
Server:
Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN
Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN

When I run "testsaslauthd -s ldap -u bsmith -p letmein" I see the
following log entries:

Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for host/vafbds01.afb.lan at AFB.LAN
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for host/vafbds01.afb.lan at AFB.LAN

How do I have to set the password for the user bsmith in FDS?
The current setting is: {SASL}bmsith at AFB.LAN
Is that correct?

Regards,

Johannes Hintermayer

On Wed, 2007-07-25 at 15:11 -0400, MJD Shop Account wrote:
> 
> >#klist
> >Ticket cache: FILE:/tmp/krb5cc_0
> >Default principal: bsmith at AFB.LAN
> >
> >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v 
> 
> No credentials??  or did you just edit out the result of klist?  You should see at the very least a ticket-granting ticket
> 
> >2. Do I need a host principal for every client?
> >
> 
> This I am pretty sure is a 'yes you do'
> 
> 
> -Marty
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users