SASL and Scientific Linux

Remi Ferrand <remi.ferrand@xxxxxxxxxxx> · Wed, 30 Mar 2011 18:04:09 +0200

Hi,

I'll try to give you as detail as possible but if anything's still
missing, please tell me :)

Okay, so, I'm trying to make cyrus-sasl working on Scientific Linux v5
(i.e RedHat).

This is my cyrus-sasl release:

# rpm -qi cyrus-sasl-lib
Name        : cyrus-sasl-lib               Relocations: (not relocatable)
Version     : 2.1.22                            Vendor: Scientific Linux
Release     : 5.el5_4.3                     Build Date: Wed Mar 17
11:43:24 2010
Install Date: Wed Mar 23 11:57:07 2011         Build Host: norob.fnal.gov
Group       : System Environment/Libraries   Source RPM:
cyrus-sasl-2.1.22-5.el5_4.3.src.rpm
Size        : 303193                           License: Freely Distributable
Signature   : DSA/SHA1, Wed Mar 17 14:47:15 2010, Key ID b0b4183f192a7d7d
URL         : http://asg.web.cmu.edu/sasl/sasl-library.html
Summary     : Shared libraries needed by applications which use Cyrus
[...]

My O.S is an "Linux test 2.6.18-238.12cc.el5 #1 SMP Thu Mar 3 12:19:21
CET 2011 x86_64 x86_64 x86_64 GNU/Linux"

This is not the first time i'm using cyrus-sasl and many of my programs
works perfectly with it (using it as a client, client_start() etc...)

That's the first time I'm trying to use the server functionnality on
Linux (server_start()) and for this, I've tried this:

1) My kerberos configuration is working (MIT flavor), I can do a "kinit
rferrand@xxxxxxxx" and retrieve my TGT.

2) My server, call it "ccsasld.in2p3.fr" has its keytab with those entries:

FILE:/etc/krb5.keytab:

Vno  Type                     Principal                            Key
                                                             Aliases
  1  des-cbc-md5              testsasl/ccsasld.in2p3.fr@xxxxxxxx
xxxxxxxxxxxxxx
  1  des-cbc-md4              testsasl/ccsasld.in2p3.fr@xxxxxxxx
xxxxxxxxxxxxxx
  1  des-cbc-crc              testsasl/ccsasld.in2p3.fr@xxxxxxxx
xxxxxxxxxxxxxx
  1  aes256-cts-hmac-sha1-96  testsasl/ccsasld.in2p3.fr@xxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  1  arcfour-hmac-md5         testsasl/ccsasld.in2p3.fr@xxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  1  des3-cbc-sha1            testsasl/ccsasld.in2p3.fr@xxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx

"ccsasld.in2p3.fr" is the machine name, not a DNS alias or something
like this, so there is not reverse name resolution problem here.

3) # type pluginviewer
pluginviewer is hashed (/usr/sbin/pluginviewer)
# rpm -qf /usr/sbin/pluginviewer
cyrus-sasl-2.1.22-5.el5_4.3.x86_64
cyrus-sasl-2.1.22-5.el5_4.3.i386

pluginviewer lists
Installed SASL (server side) mechanisms are:
GSSAPI ANONYMOUS CRAM-MD5 LOGIN PLAIN DIGEST-MD5 EXTERNAL

Installed SASL (client side) mechanisms are:
GSSAPI ANONYMOUS CRAM-MD5 LOGIN PLAIN DIGEST-MD5 EXTERNAL

4) I'm here trying to use GSSAPI, and I'm using the sasl2-sample-server
shipped with cyrus-sasl-devel-2.1.22-5.el5_4.3

Here is my procedure:

On the server ccsasld.in2p3.fr:

# sasl2-sample-server -p 12345 -s testsasl
trying 10, 1, 6
trying 2, 1, 6
bind: Address already in use
accepted new connection
send: {48}
GSSAPI ANONYMOUS CRAM-MD5 LOGIN PLAIN DIGEST-MD5
recv: {6}
GSSAPI
recv: {1}
Y
recv: {623}
`[82][2]k[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2]Z0[82][2]V[A0][3][...][1]j0[82][1]f[A0][3][2][1][5][A1][A][1B][8]IN2P3.FR[A2](0&[A0][3][2][1][3][A1][1F]0[1D][1B][8]testsasl[1B][11]ccsasld.in2p3.fr[A3][82][1]'0[82][1]#[A0][3][2][1][12][A1][3][2][1][1][A2][82][1][15][4][...]"
starting SASL negotiation: authentication failureclosing connection

On the client ccsasld.in2p3.fr (I've also tried from another machine,
same results...)

# /usr/kerberos/bin/kinit  rferrand
Password for rferrand@xxxxxxxx: xxxxx

# sasl2-sample-client -p 12345 -s testsasl ccsasld.in2p3.fr
receiving capability list... recv: {48}
GSSAPI ANONYMOUS CRAM-MD5 LOGIN PLAIN DIGEST-MD5
GSSAPI ANONYMOUS CRAM-MD5 LOGIN PLAIN DIGEST-MD5
please enter an authorization id: rferrand << USER INTERACTION
send: {6}
GSSAPI
send: {1}
Y
send: {623}
`[82][2]k[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2]Z0[82][2]V[A0][...][1]j0[82][1]f[A0][3][2][1][5][A1][A][1B][8]IN2P3.FR[A2](0&[A0][3][2][1][3][A1][1F]0[1D][1B][8]testsasl[1B][11]ccsasld.in2p3.fr[A3][...]"
authentication failed
closing connection

The client retrieves the Ticket Granting Service, so the Krb5 part is
functionnal here...

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rferrand@xxxxxxxx

Valid starting     Expires            Service principal
03/30/11 17:56:16  03/31/11 17:56:12  krbtgt/IN2P3.FR@xxxxxxxx
03/30/11 17:56:30  03/31/11 17:56:12  testsasl/ccsasld.in2p3.fr@

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Nothing appears in the log, on stderr or anywhere...

Does anybody have any suggestion ?
I'm stuck here and I've tried every trick I knew without success...

Thanks in advance :)

Cheers

R.

-- 

Remi Ferrand             | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 |     et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/

Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature