Sorry not a kerberos expert but this is old doc I used to use to get it working. I would double check your /etc/krb5.conf first though.
Here is that doc
===================================================================
SASL and DS
KDC Server
- HOST.DOMAIN.COM is usually "localhost.localdomain" for
internal testing. Make sure the hostname is lowercase!
[1] ssh krbuser@xxxxxxxxxxxxxxxxxxx (password redhat)
[2] sudo /usr/kerberos/sbin/kadmin.local -r EXAMPLE.COM
[3] addprinc -randkey ldap/HOST.DOMAIN.COM@xxxxxxxxxxx
[4] ktadd -k /opt/ldap.HOST.DOMAIN.COM.keytab
ldap/HOST.DOMAIN.COM@xxxxxxxxxxx
[5] addprinc sasltest -> use redhat as password
[6] ktadd -k /opt/sasltest.keytab sasltest@xxxxxxxxxxx
[7] addprinc t001 --> use redhat as password
[8] ktadd -k /opt/ldap.t001.keytab t001@xxxxxxxxxxx
[9] exit
[10] sudo chmod 777 /opt/ldap.HOST.DOMAIN.COM.keytab
[11] sudo chmod 777 /opt/ldap.t001.keytab
[12] sudo chmod 777 /opt/sasltest.keytab
DS Server
- Get the keytabs
[1] cd /etc/dirsrv
[2] wget
ftp://internal.redhat.com/opt/ldap.HOST.DOMAIN.COM.keytab
[3] wget ftp://internal.redhat.com/opt/sasltest.keytab
[4] wget ftp://internal.redhat.com/opt/ldap.t001.keytab
- Edit /etc/krb5.conf, make sure these settings are
included
[libdefaults]
default_realm: EXAMPLE.COM
allow_weak_crypto = true (or 'yes')
[realms]
EXAMPLE.COM = {
kdc = internal.redhat.com:88
admin_server = internal.redhat.com:749
default_domain = example.com
}
[domain_realm]
.redhat.com = EXAMPLE.COM
redhat.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
- Edit /etc/sysconfig/dirsrv-INSTANCE
Add these two lines to
KRB5_CONFIG=/etc/krb5.conf
KRB5_KTNAME=/etc/dirsrv/ldap.HOST.DOMAIN.COM.keytab
- Edit the dse.ldif/ldapmodify. This assumes there is a
backend: dc=example,dc=com
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com
dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com
dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com
dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com
dn: cn=config
changetype: modify
add: passwordstoragescheme
passwordstoragescheme: clear
- Add our user:
dn: uid=t001,ou=people,dc=example,dc=com
uid: t001
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: 001
cn: test 001
mail: t001@xxxxxxxxxxx
Testing
[1] cd /etc/dirsrv
[2] kinit -k -t ./ldap.t001.keytab t001@xxxxxxxxxxx
[3] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: t001@xxxxxxxxxxx
Valid starting Expires Service principal
02/08/10 14:29:33 02/09/10 14:29:33
krbtgt/EXAMPLE.COM@xxxxxxxxxxx
renew until 02/08/10 14:29:33
[4] ldapsearch -h HOST.DOMAIN.COM -p 389 -b
"dc=example,dc=com" -v -LLL -Y GSSAPI "uid=*" dn
[5] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: t001@xxxxxxxxxxx
Valid starting Expires Service principal
02/08/10 16:52:14 02/09/10 16:52:14
krbtgt/EXAMPLE.COM@xxxxxxxxxxx
renew until 02/08/10 16:52:14
02/08/10 16:52:20 02/09/10 16:52:14
ldap/HOST.DOMAIN.COM@xxxxxxxxxxx
renew until 02/08/10 16:52:14
Troubleshooting
[1] To verify the DS server does use the user kerberos ticket
for authentication, log on kdc server (internal.redhat.com), and
tail -f /var/log/krb5kdc.log You should see following msgs in log:
- The first msg means the usr "t001" does get valid
kerberos ticket from kdc server
- The second msg means the server which use
"ldap/internal.redhat.com@xxxxxxxxxxx" is connect with kdc for
user authentication
Feb 08 16:46:14 internal.redhat.com krb5kdc[2726](info): AS_REQ
(12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.16.96.80: ISSUE:
authtime 1265665574, etypes {rep=1 tkt=16 ses=16},
t001@xxxxxxxxxxx for krbtgt/EXAMPLE.COM@xxxxxxxxxxx
Feb 08 16:48:34 internal.redhat.com krb5kdc[2726](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.16.96.80: ISSUE:
authtime 1265665574, etypes {rep=16 tkt=16 ses=16},
t001@xxxxxxxxxxx for ldap/HOST.DOMAIN.COM.com@xxxxxxxxxxx
[2] ldapsearch issues
[a] make sure you use -h "<FQDN>"
[b] error:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Unknown error)
cause: /etc/sysconfig/dirsrv-INSTANCE, the KRB5_KTNAME
was incorrect
[c] other errors, if you have verified the kerberos ticket
is being used(see [1]), then recheck your sasl mappings in
dse.ldif
[3] DS error logging, turn on "trace function calls"
(nsslapd-errorlog-level: 1), this might provide more information.
================================================================
HTH,
Mark
I'm trying to move over from OpenLDAP, as it seems that 389-ds is better supported in the RH family of products.
I've followed the RH docs to configure kerberos[1] as well as checking to ensure that the auth mechanisms are enabled and I've poked around with the SASL identity mappings. From what I can tell, all of these are setup correctly.
However, every single time, the realm isn't populated with the kerberos realm and instead, only the username is passed. This results in the SASL mapping that matches the realm (correctly) failing to match:
DEBUG - do_bind - BIND dn="" method=163 version=3
DEBUG - ids_sasl_listmech - sasl library mechs: GSS-SPNEGO,GSSAPI,DIGEST-MD5,CRAM-MD5,PLAIN,LOGIN,ANONYMOUS
DEBUG - ids_sasl_log - (5): GSSAPI server step 3
DEBUG - ids_sasl_canon_user - (user=kyletest, realm=)
DEBUG - sasl_map_domap - Trying map [Kerberos uid mapping]
DEBUG - sasl_map_check - regex: (.*)@(.*)\.(.*), id: kyletest, didn't match
I've trimmed the above to just the more relevant log lines, but it's very clear that the value for "realm" is en empty string.
What do I need to do in order to have the realm be made visible to the SASL mapping component? I've searched the docs, both the fedora and the pagure bug trackers, searched all of the nsslapd-* attributes to see if I'm missing something, and tried on both centos8 and F31 (same results). I don't see anything obvious missing here (but I might just not know where to be looking).
F31 package: 389-ds-base-1.4.2.11-1.fc31.x86_64
CentOS8 package: 389-ds-base-1.4.2.9-1.module_el8+8314+9ac085f5.x86_64
- Kerberos setup:
[root@ldaptest ~]# cat /etc/sysconfig/dirsrv-app
KRB5_KTNAME=/etc/dirsrv/krb5.keytab
[root@ldaptest ~]# kinit -kt /etc/dirsrv/krb5.keytab ldap/$HOSTNAME
[root@ldaptest ~]# klist
Ticket cache: KCM:0:9594
Default principal: ldap/ldaptest.averageurl.com@xxxxxxxxxxxxxx
- klist after attempting an ldapwhoami:
[root@ldaptest ~]# klist
Ticket cache: KCM:0:39355
Default principal: kyletest@xxxxxxxxxxxxxx
Valid starting Expires Service principal
04/12/2020 10:33:44 04/13/2020 10:33:40 krbtgt/AVERAGEURL.COM@xxxxxxxxxxxxxx
04/12/2020 10:33:51 04/13/2020 10:33:40 ldap/ldaptest.averageurl.com@xxxxxxxxxxxxxx
- SASL mapping:
nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
nsSaslMapFilterTemplate: (cn=\1)
nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com
- Alternative SASL mapping that I'd prefer to use:
nsSaslMapRegexString: \(.*\)@AVERAGEURL\.COM
nsSaslMapFilterTemplate: (cn=\1)
nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com
Thanks,
--Kyle
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_kerberos
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
-- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
