Issues with GSSAPI kerberos authentication - realm undefined?

Kyle Brantley <kyle@xxxxxxxxxxxxxx> · Sun, 12 Apr 2020 10:41:17 -0600

I'm trying to move over from OpenLDAP, as it seems that 389-ds is better 
supported in the RH family of products.

I've followed the RH docs to configure kerberos[1] as well as checking 
to ensure that the auth mechanisms are enabled and I've poked around 
with the SASL identity mappings. From what I can tell, all of these are 
setup correctly.

However, every single time, the realm isn't populated with the kerberos 
realm and instead, only the username is passed. This results in the SASL 
mapping that matches the realm (correctly) failing to match:

DEBUG - do_bind - BIND dn="" method=163 version=3
DEBUG - ids_sasl_listmech - sasl library mechs: 
GSS-SPNEGO,GSSAPI,DIGEST-MD5,CRAM-MD5,PLAIN,LOGIN,ANONYMOUS
DEBUG - ids_sasl_log - (5): GSSAPI server step 3
DEBUG - ids_sasl_canon_user - (user=kyletest, realm=)
DEBUG - sasl_map_domap - Trying map [Kerberos uid mapping]
DEBUG - sasl_map_check - regex: (.*)@(.*)\.(.*), id: kyletest, didn't match

I've trimmed the above to just the more relevant log lines, but it's 
very clear that the value for "realm" is en empty string.

What do I need to do in order to have the realm be made visible to the 
SASL mapping component? I've searched the docs, both the fedora and the 
pagure bug trackers, searched all of the nsslapd-* attributes to see if 
I'm missing something, and tried on both centos8 and F31 (same results). 
I don't see anything obvious missing here (but I might just not know 
where to be looking).

F31 package: 389-ds-base-1.4.2.11-1.fc31.x86_64
CentOS8 package: 389-ds-base-1.4.2.9-1.module_el8+8314+9ac085f5.x86_64

- Kerberos setup:
[root@ldaptest ~]# cat /etc/sysconfig/dirsrv-app
KRB5_KTNAME=/etc/dirsrv/krb5.keytab
[root@ldaptest ~]# kinit -kt /etc/dirsrv/krb5.keytab ldap/$HOSTNAME
[root@ldaptest ~]# klist
Ticket cache: KCM:0:9594
Default principal: ldap/ldaptest.averageurl.com@xxxxxxxxxxxxxx

- klist after attempting an ldapwhoami:
[root@ldaptest ~]# klist
Ticket cache: KCM:0:39355
Default principal: kyletest@xxxxxxxxxxxxxx

Valid starting       Expires              Service principal
04/12/2020 10:33:44  04/13/2020 10:33:40 
krbtgt/AVERAGEURL.COM@xxxxxxxxxxxxxx
04/12/2020 10:33:51  04/13/2020 10:33:40 
ldap/ldaptest.averageurl.com@xxxxxxxxxxxxxx

- SASL mapping:
nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
nsSaslMapFilterTemplate: (cn=\1)
nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com

- Alternative SASL mapping that I'd prefer to use:
nsSaslMapRegexString: \(.*\)@AVERAGEURL\.COM
nsSaslMapFilterTemplate: (cn=\1)
nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com

Thanks,
--Kyle

[1] 
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_kerberos
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx