GSSAPI authentication to Directory Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Try

kinit username
<mdp>
klist -e

/usr/bin/ldapsearch  -Y GSSAPI -h station1.example.com -b
"dc=example,dc=com" "(cn=*)"

klist -e
<you should see the additional ticket ldap/station1.example.com>
At least, that's how it works in our system


2010/10/4 Matt Carey <cvstealth2000 at yahoo.com>

> I'm trying to follow the Kerberos howto guide at
> http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an
> issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:
> $ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o
> mech=GSSAPI -o authid="mcarey at STATION1.EXAMPLE.COM"  -o authzid="
> mcarey at STATION1.EXAMPLE.COM" -b "dc=example,dc=com" "(cn=*)"
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
> Attempt with OpenLDAP client:
> $ /usr/bin/ldapsearch  -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://
> station1.example.com -b "dc=example,dc=com" "(cn=*)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>     additional info: SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context
>
>
> Resulting in the following entries in the access log on the DS:
> # tail -5 access
> [04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from
> 10.100.0.45 to 10.100.0.45
> [04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0
> etime=0
> [04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND
> [04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1
>
>
> From what I can tell the Kerberos infrastructure and OS components are
> setup accordingly:
> GSSAPI is a viable SASL mechanism:
> $ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base
> "(objectClass=*)" supportedSASLMechanisms
> version: 1
> dn:
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: ANONYMOUS
> supportedSASLMechanisms: PLAIN
>
> Directory Server keytab and contents:
> # grep "nsslapd-localuser" dse.ldif
> nsslapd-localuser: nobody
> # ls -la ds.keytab
> -rw------- 1 nobody nobody 172 Oct  3 13:21 ds.keytab
> # ktutil
> ktutil:  rkt ./ds.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    3 ldap/station1.example.com at STATION1.EXAMPLE.COM
>    2    3 ldap/station1.example.com at STATION1.EXAMPLE.COM
> # grep KRB /etc/sysconfig/dirsrv
> KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
>
> SASL maps in Directory Server:
> dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: Kerberos uid mapping
> nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
> nsSaslMapBaseDNTemplate: dc=\2,dc=\3
> nsSaslMapFilterTemplate: (uid=\1)
>
> dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: Station1 Kerberos Mapping
> nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM
> nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
> nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com
>
> dn: cn=station1 map,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: example map
> cn: station1 map
> nsSaslMapRegexString: \(.*\)
> nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
> nsSaslMapFilterTemplate: (cn=\1)
>
> Getting a ticket from the KDC:
> [mcarey at station1 ~]$ kdestroy
> [mcarey at station1 ~]$ kinit
> Password for mcarey at STATION1.EXAMPLE.COM:
> [mcarey at station1 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20
> Default principal: mcarey at STATION1.EXAMPLE.COM
> Valid starting     Expires            Service principal
> 10/04/10 10:57:20  10/04/10 17:37:20  krbtgt/STATION1.EXAMPLE.COM@
> STATION1.EXAMPLE.COM
> Kerberos 4 ticket cache: /tmp/tkt5000
> klist: You have no tickets cached
>
> Any help or pointers people have would be greatly appreciated.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20101004/a669ef49/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux