Separating the realm with GSSAPI and Kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I raised an issue in OpenLDAP (ITS#6757), and they suggested I bring it up
here.  I'm able to replicate the behaviour in question with sample-server
and sample-client, so it's not OpenLDAP-specific, but it may just be a
misunderstanding about how the SASL API is supposed to be used.

The problem is when Kerberos cross-realm authentication is taking place. 
Rather than splitting the username and realm, the server sees the full
Kerberos principal in 'Username', and the 'Realm' is empty.

In my test rig, the server is in realm WS.NSRC.ORG. The client is in a
different realm, REALM3.WS.NSRC.ORG. Cross-realm trust is working happily.
Here is what I see on the sample-server:

...
Negotiation complete
Username: student@xxxxxxxxxxxxxxxxxx
Realm: (NULL)
SSF: 56
...

What I want to know is, is this behaviour expected?

The OpenLDAP people are expecting Cyrus SASL to put the Kerberos realm into
the 'Realm', and this means that the authorization DN for SASL clients is
not how they document it.

I do notice one difference in the code:
Cyrus's sample-server uses sasl_getprop(...SASL_DEFUSERREALM...)
whereas OpenLDAP uses sasl_getprop(...SASL_REALM...)

Strangely, I can't find SASL_REALM defined anywhere (either in the openldap
source, or under /usr/include/sasl).  If SASL_REALM is 3, the same as
SASL_DEFUSERREALM, then it might be clearer that this actually the default
realm and not the client's realm.

Anyway, the full logs from sample-client and sample-server are attached. 
This is not a production network, so please feel free to decode whatever you
like out of the base64 :-)

Platform:
Ubuntu 10.04.1 (i686)
libsasl2-dev 2.1.23.dfsg1-5ubuntu1
libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1
libkrb5-3 1.8.1+dfsg-2ubuntu0.4
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.4

Thanks,

Brian Candler.

Script started on Fri 31 Dec 2010 13:06:18 UTC
]0;root@pc3: ~root@pc3:~# ./sample-client -s host -n noc.ws.nsrc.org
service=host
Waiting for mechanism list from server...
S: R1NTQVBJ
received 6 byte message
Choosing best mechanism from: GSSAPI
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAmcGCSqGSIb3EgECAgEAboICVjCCAlKgAwIBBaEDAgEOogcDBQAgAAAAo4IBYWGCAV0wggFZoAMCAQWhDRsLV1MuTlNSQy5PUkeiIjAgoAMCAQOhGTAXGwRob3N0Gw9ub2Mud3MubnNyYy5vcmejggEdMIIBGaADAgESoQMCAQKiggELBIIBB1bdtb0wvuEFzgEYHcOe3xsCy/g07eF/aYsJKuAa5GpEZimVnXCckJzbH3XphDKKVYYxb6FD5mHZ4D29vKEwXO4mbYqyoYr2ubfE447Eury06WoStHnPLVFk/UZ9HHGg1SmFwo6xsmGiTNHg6AM1ea/x4TBoPt1/IwmCQ8Iy1KlvUbJz6+UwmRRCJboRH22qrkZhfPkxrFQSV+J+Lc7J//5bf5CUu90MiSEc0tRzWVdmBjHOqagw1d7F+puFcK/a8WPiz7kc9eakW8DCu/IQn/YWCcmjqDgxQtsiJM+Y4mpyuyzJ6/7sxxJnXHxKhVm+hDIU7p88ITi7ghl67B0ngBpX888Hz9ydpIHXMIHUoAMCARKigcwEgckYt7u5JbQR++WfeWOCdVR+MyLTVBUaADUocUsQfUghIGHvAqyXpvhAHtmBhyw53Lj4Tg9/uAlvez7UtfuSqk367bPxZZ0wpO3TgtG3Qumi7Me41JkCmgGtAYTbT7UX2fM9PlFOss7GKTteCYpR5IR9j1oYKAKFgpVFRN3JU3Cti0TbOAwp/OMO3MKpIEBg6FOh3j2ZzxQ/buOPgrms9KkWKCx1mBuv/ww9VafRz4KcUXYww/56D/qnTRdk6YHn3JDzIgpIKBMBWpE=
Waiting for server reply...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv9+wGF1zTnKk8cOI1glCSV7d2ZdU/W9NM0SBQVD9eR80zjyutH6dsFZELZwntXTgVZ2VzrUJzUm6VDRSHdgouHtsx18KohB6LkWSTKLaRP2rlr8gDVVEaJATOsaDuUUxnsl4fz3IQlI3NwG2gV1Rn
received 156 byte message
C: 
Waiting for server reply...
S: BQQF/wAMAAAAAAAAIGadIAcACADVV2SWyFgBYQjGgjI=
received 32 byte message
Sending response...
C: BQQE/wAMAAAAAAAAJAavIQQACABGf24veox+Unj/tm8=
Negotiation complete
Username: student@xxxxxxxxxxxxxxxxxx
SSF: 56
Waiting for encoded message...
S: AAAASgUEB/8AAAAAAAAAACBmnSEWwzoBJGiUy8GYzM5PHQtYFCPgiujAv/peAVoxqaZBJi8I69Vd6UAhHSu6WxIUzH75Tp0ELowHP5MV
received 78 byte message
received decoded message 'srv message 1'
sending encrypted message 'client message 1'
C: AAAATQUEBv8AAAAAAAAAACQGryJPsTaZHh+WHbCo6gD+QXegMIbFFKxJhbEh/9KRD/r8ZxGTEtPszRrEcowJoIzSCXHQcCpmN2VPnYuKmk8H
]0;root@pc3: ~root@pc3:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: student@xxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
12/31/10 12:46:57  01/01/11 12:46:54  krbtgt/REALM3.WS.NSRC.ORG@xxxxxxxxxxxxxxxxxx
12/31/10 12:47:31  01/01/11 12:46:54  krbtgt/WS.NSRC.ORG@xxxxxxxxxxxxxxxxxx
12/31/10 12:47:31  12/31/10 22:47:31  host/noc.ws.nsrc.org@xxxxxxxxxxx
]0;root@pc3: ~root@pc3:~# exit

Script done on Fri 31 Dec 2010 13:07:24 UTC

Script started on Fri 31 Dec 2010 13:06:03 UTC
]0;root@noc: ~/sasl-examplesroot@noc:~/sasl-examples# ./sample-server -s host -m GSSAPI
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: R1NTQVBJAGCCAmcGCSqGSIb3EgECAgEAboICVjCCAlKgAwIBBaEDAgEOogcDBQAgAAAAo4IBYWGCAV0wggFZoAMCAQWhDRsLV1MuTlNSQy5PUkeiIjAgoAMCAQOhGTAXGwRob3N0Gw9ub2Mud3MubnNyYy5vcmejggEdMIIBGaADAgESoQMCAQKiggELBIIBB1bdtb0wvuEFzgEYHcOe3xsCy/g07eF/aYsJKuAa5GpEZimVnXCckJzbH3XphDKKVYYxb6FD5mHZ4D29vKEwXO4mbYqyoYr2ubfE447Eury06WoStHnPLVFk/UZ9HHGg1SmFwo6xsmGiTNHg6AM1ea/x4TBoPt1/IwmCQ8Iy1KlvUbJz6+UwmRRCJboRH22qrkZhfPkxrFQSV+J+Lc7J//5bf5CUu90MiSEc0tRzWVdmBjHOqagw1d7F+puFcK/a8WPiz7kc9eakW8DCu/IQn/YWCcmjqDgxQtsiJM+Y4mpyuyzJ6/7sxxJnXHxKhVm+hDIU7p88ITi7ghl67B0ngBpX888Hz9ydpIHXMIHUoAMCARKigcwEgckYt7u5JbQR++WfeWOCdVR+MyLTVBUaADUocUsQfUghIGHvAqyXpvhAHtmBhyw53Lj4Tg9/uAlvez7UtfuSqk367bPxZZ0wpO3TgtG3Qumi7Me41JkCmgGtAYTbT7UX2fM9PlFOss7GKTteCYpR5IR9j1oYKAKFgpVFRN3JU3Cti0TbOAwp/OMO3MKpIEBg6FOh3j2ZzxQ/buOPgrms9KkWKCx1mBuv/ww9VafRz4KcUXYww/56D/qnTRdk6YHn3JDzIgpIKBMBWpE=
got 'GSSAPI'
Sending response...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv9+wGF1zTnKk8cOI1glCSV7d2ZdU/W9NM0SBQVD9eR80zjyutH6dsFZELZwntXTgVZ2VzrUJzUm6VDRSHdgouHtsx18KohB6LkWSTKLaRP2rlr8gDVVEaJATOsaDuUUxnsl4fz3IQlI3NwG2gV1Rn
Waiting for client reply...
C: 
got ''
Sending response...
S: BQQF/wAMAAAAAAAAIGadIAcACADVV2SWyFgBYQjGgjI=
Waiting for client reply...
C: BQQE/wAMAAAAAAAAJAavIQQACABGf24veox+Unj/tm8=
got '?'
Negotiation complete
Username: student@xxxxxxxxxxxxxxxxxx
Realm: (NULL)
SSF: 56
sending encrypted message 'srv message 1'
S: AAAASgUEB/8AAAAAAAAAACBmnSEWwzoBJGiUy8GYzM5PHQtYFCPgiujAv/peAVoxqaZBJi8I69Vd6UAhHSu6WxIUzH75Tp0ELowHP5MV
Waiting for encrypted message...
C: AAAATQUEBv8AAAAAAAAAACQGryJPsTaZHh+WHbCo6gD+QXegMIbFFKxJhbEh/9KRD/r8ZxGTEtPszRrEcowJoIzSCXHQcCpmN2VPnYuKmk8H
got ''
recieved decoded message 'client message 1'
]0;root@noc: ~/sasl-examplesroot@noc:~/sasl-examples# exit

Script done on Fri 31 Dec 2010 13:07:25 UTC
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux