Hi all, currently I'm battling with FDS, Kerberos and SASL to get a working Single-Sign-On setup. At the moment I have a working Kerberos Realm to which I can successfully connect. I also have a working FDS with one user for testing purposes. Saslauthd is also configured and executing testsaslauthd is ok. But now I have problems to convince FDS to authenticate users via Kerberos. I have read http://directory.fedoraproject.org/wiki/Howto:Kerberos and http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165 but I don't think it's that simple. At least it's not yet working for me. When I try to bind to FDS via GSSAPI the following error occurs: #klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bsmith@xxxxxxx #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v ldap_initialize( <DEFAULT> ) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied) I have tried several combinations of config files and password entries but none worked. So first of all I'd like to ask a few questions to shed light on a few things: 1. Do I need saslauthd on every client which I want to authenticate via FDS/Kerberos? 2. Do I need a host principal for every client? Here is my current configuration, please correct me if there are some unneeded files (these were built together from several tutorials): /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AFB.LAN dns_lookup_realm = false dns_lookup_kdc = false [realms] AFB.LAN = { kdc = vafbkrb01.afb.lan:88 admin_server = vafbkrb01.afb.lan:749 default_domain = afb.lan } [domain_realm] .afb.lan = AFB.LAN afb.lan = AFB.LAN [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/ldap.conf host 172.16.50.2 base dc=afb,dc=lan ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 SASL_MECH GSSAPI SASL_REALM AFB.LAN use_sasl on sasl_auth_id ldap/vafbds01.afb.lan /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=kerberos5 FLAGS= /usr/lib/sasl2/slapd.conf mech_list: plain gssapi digest-md5 cram-md5 external pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab SASL Mapping: nssaslmapfiltertemplate: (uid=\1) nssaslmapregexstring: \(.*\)@\(.*\) /opt/fedora-ds/slapd-vafbds01/start-slapd contains: "export KRB5_KTNAME=/etc/krb5.keytab" The password entry for bsmith in FDS contains: {SASL}bsmith@xxxxxxx FDS supports the following SASLMechanisms #ldapsearch -x -D "uid=bsmith,ou=People,dc=afb,dc=lan" -b "" -s base supportedSASLMechanisms # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 DNS (forward & reverse) as well as NTP settings are correct on all hosts. Are there any obvious mistakes in my configuration or am I on the right track? Thanks in advance! Best regards, Johannes Hintermayer -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
