[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heimdal/OpenLDAP/Samba howto and bugreport
Hi,
I tried setting up the latest heimdal snapshot today to test Bartlets
patches.
These are my experiences / bugreports / suggestions. This document is
also attached, and I ask that you include it in the snappshoits for now
as it might help others :-).
I hope to update it as things start to work.
PS: I also posted this via gnews, so you might get this post twice.
Cheers!
Tarjei
Basic procedure:
1. Compile the latest heimdal-snapshot :
./configure --prefix=/usr/local/heimdal --with-openldap=/usr
make
make install
2. Edit /etc/openldap/slapd.conf
- add
include /etc/openldap/schema/krb5-kdc.schema
- comment out minssf lines like this one:
sasl-secprops minssf=128
As the external method used by heimdal does not have an ssf>0 (of
someone comes up with a suggested solution to this please give it too
me).
- modify the relevant acls by adding:
by sockurl="^ldapi:///$" write
example:
access to dn="(.*,)?o=nu,c=no"
attr="userPassword,sambaLMPassword,sambaNTPassword"
by dn="uid=samba,ou=services,o=nu,c=no" write
by sockurl="^ldapi:///$" write
by * auth
- Consider adding some indexes as well (TODO).
3. Modify the OpenLDAP startupscript and add ldapi:/// to the -h part.
In SuSE I edited the line:
SLAPD_URLS="ldap:/// ldapi:///"
^^^^^^^^^ added this
in /etc/init.d/ldap.
For other distros: This is the equivalent of: slapd -h ldap:///
ldapi:/// ..
Rememeber to restart openldap.
4. touch the mkey file. If you're using the supplied conf file:
# touch /var/heimdal/mkey
5. Start the kdc and check for errors.
6. Make sure the dn you're trying to authenticate as has the account
objectclass. I had to turn schemachecking off in slapd.conf and add
this objectclass to my user to get Heimdal working :(
7. Do some tests, fx. kinit and se if you get in.
Pitfalls/Troubleshootingtips:
The ldapcode in Heimdal likes to output errors that might not be simple
for the user to understand. I'll try to document them here for further
reference:
1. invalid DN
You may get this when you run kadmin -l, init. In my case it meant that
the kdc-krb5.schema file was not set up in slapd.conf.
Suggested solution: Search the openldapserver for the schemaentry and
emit a warning if you cannot find it. This is a nicer way to handle this
error.
2. Write access to parent denied.
You may get this when you run kadmin -l, init. In my case (yes, I'm
cut-and patsing now) this was because I was missing a / in the slapd
startupline, like this:
slapd -h ldap:/// ldapi:/// ldaps:///
^ this was missing.
3.class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'
You may get this when you run kadmin -l, init. I'm not sure if this is
related to (2) or if it is a separate error. If it is a separate error,
you may get around it by setting
schemacheck off
in slapd.conf, but this is not the way to do it.
Bugs:
- The code that searches for an account searches for
(&(objectclass=account)(uid=<username>)). This defeats some of the
purpose of using ldap, namely the option to be able to define and
structure your information in an quite arbitary way. In this case, a lot
of people (me included) use inetOrgPerson as the base objectclass
instead of account. Samba as such does not have any problems with this,
and neither should Heimdal. I therefore suggest that the user should be
able to set this in kdc.conf.
- kpasswdd segfaults when I try to change a password. I strace can be
supplied to the developers if you want it. Changing the password by just
modifying the sambaNTPassword works.
- The manpage krb5.conf does not tell the user what possible values the
DATABASE directive may take. AFAIK this would help the reader:
DATABASE may take the following values:
file:/path/to/datafile
ldap:<basedn>
It should also be noted that you should set the value
hdb-ldap-structural-object when using ldap as the kdcdatabase.
(formatted for inclusion in the manfile)
Connecting to OpenLDAP via krb [MOSTLY A BUGREPORT]
This document describes the procedure:
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7
However; I got a segfault instead when the server didn't find an entry
in the ldapdb.
add --random-key host/elprinsessekaja.mail2.bergfald.no
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin: kadm5_create_principal: Unknown error 36150281
kadmin: kadm5_randkey_principal: Principal does not exist
kadmin: adding host/elprinsessekaja.mail2.bergfald.no: Principal does
not exist
kadmin> add --random-Segmentation faultja.mail2.bergfald.no
A bit of searching in the ldaplogs gave me the answer:
ay 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 ADD
dn="krb5PrincipalName=host/elprinsessekaja.mail2.bergfald.no@NU.NO,o=nu,c=no"
May 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 RESULT
tag=105 err=65 text=no structural object class provided
Again, bit by the schemabug :-/. I modify my slapd.conf file to get the
show on the road again.
Then , when I try
kadmin> ext host/elprinsessekaja.mail2.bergfald.no I get:
kadmin: krb5_kt_add_entry: End of credential cache reached
it seems that the kdc tries to search the ldapdatabase with the
following as base:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>From the log:
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH
base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" scope=2
filter="(objectClass=krb5Principal)"
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH attr=cn
createTimestamp creatorsName krb5PrincipalName krb5PrincipalRealm
modifiersName modifyTimestamp objectClass uid
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 RESULT
tag=101 err=32 text=
OpenLDAP gives the errorcode 32, i.e. no such object.
You also need to add the following to your slapd.conf's sasl section:
sasl-realm NU.NO
sasl-host elprinsessekaja.mail2.bergfald.no
sasl-authz-policy both
sasl-regexp
uid=(.+),cn=NU.NO,cn=gssapi,cn=auth
uid=$1,ou=People,o=nu,c=no
Links:
http://www.padl.com/Research/Heimdal.html
http://marc.theaimsgroup.com/?l=samba-technical&m=107748396331431&w=2
http://www.bayour.com/
http://www.openldap.org/doc/admin21/
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7
/var/heimdal/kdc.conf:
[libdefaults]
default_realm = NU.NO
clockskew = 300
# Set this to false to disable MIT krb5 compatibility
# in GSSAPI get_mic/verify_mic, and become compatible
# with older Heimdal releases instead.
gss_mit_compat = true
[realms]
NU.NO = {
kdc = 127.0.0.1
default_domain=nu.no
admin_server = 127.0.0.1
}
[domain_realm]
.nu.no = NU.NO
[logging]
default = SYSLOG:NOTICE:DAEMON
[kdc]
database = {
dbname = ldap:o=nu,c=no
hdb-ldap-structural-object = sambaDomainName=NU-TEST,o=nu,c=no
mkey_file = /var/heimdal/mkey
}
Note: This is a document written in anger (not over Heimdal or Samba) after knode chrashed and deleted some 2 - 3 pages of howto on this subject.
However, I think the end result is good enough anyway.
I tried setting up the latestheimdal snapshot today to test Bartletts sambapatches.
These are my experiences / bugreports / suggestions. This document is also attached, and I ask that you include it in the snappshoits for now as it might help others :-).
Basic procedure:
1. Compile the latest heimdal-snapshot :
./configure --prefix=/usr/local/heimdal --with-openldap=/usr
make
make install
2. Edit /etc/openldap/slapd.conf
- add
include /etc/openldap/schema/krb5-kdc.schema
- comment out minssf lines like this one:
sasl-secprops minssf=128
As the external method used by heimdal does not have an ssf>0 (of someone comes up with a suggested solution to this please give it too me).
- modify the relevant acls by adding:
by sockurl="^ldapi:///$" write
example:
access to dn="(.*,)?o=nu,c=no" attr="userPassword,sambaLMPassword,sambaNTPassword"
by dn="uid=samba,ou=services,o=nu,c=no" write
by sockurl="^ldapi:///$" write
by * auth
- Consider adding some indexes as well (TODO).
3. Modify the OpenLDAP startupscript and add ldapi:/// to the -h part.
In SuSE I edited the line:
SLAPD_URLS="ldap:/// ldapi:///"
^^^^^^^^^ added this
in /etc/init.d/ldap.
For other distros: This is the equivalent of: slapd -h ldap:/// ldapi:/// ..
Rememeber to restart openldap.
4. touch the mkey file. If you're using the supplied conf file:
# touch /var/heimdal/mkey
5. Start the kdc and check for errors.
6. Make sure the dn you're trying to authenticate as has the account objectclass. I had to turn schemachecking off in slapd.conf and add this objectclass to my user to get Heimdal working :(
7. Do some tests, fx. kinit and se if you get in.
Pitfalls/Troubleshootingtips:
The ldapcode in Heimdal likes to output errors that might not be simple for the user to understand. I'll try to document them here for further reference:
1. invalid DN
You may get this when you run kadmin -l, init. In my case it meant that the kdc-krb5.schema file was not set up in slapd.conf.
Suggested solution: Search the openldapserver for the schemaentry and emit a warning if you cannot find it. This is a nicer way to handle this error.
2. Write access to parent denied.
You may get this when you run kadmin -l, init. In my case (yes, I'm cut-and patsing now) this was because I was missing a / in the slapd startupline, like this:
slapd -h ldap:/// ldapi:/// ldaps:///
^ this was missing.
3.class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'
You may get this when you run kadmin -l, init. I'm not sure if this is related to (2) or if it is a separate error. If it is a separate error, you may get around it by setting
schemacheck off
in slapd.conf, but this is not the way to do it.
Bugs:
- The code that searches for an account searches for (&(objectclass=account)(uid=<username>)). This defeats some of the purpose of using ldap, namely the option to be able to define and structure your information in an quite arbitary way. In this case, a lot of people (me included) use inetOrgPerson as the base objectclass instead of account. Samba as such does not have any problems with this, and neither should Heimdal. I therefore suggest that the user should be able to set this in kdc.conf.
- kpasswdd segfaults when I try to change a password. I strace can be supplied to the developers if you want it. Changing the password by just modifying the sambaNTPassword works.
- The manpage krb5.conf does not tell the user what possible values the DATABASE directive may take. AFAIK this would help the reader:
DATABASE may take the following values:
file:/path/to/datafile
ldap:<basedn>
It should also be noted that you should set the value hdb-ldap-structural-object when using ldap as the kdcdatabase.
(formatted for inclusion in the manfile)
Connecting to OpenLDAP via krb [MOSTLY A BUGREPORT]
This document describes the procedure:
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7
However; I got a segfault instead when the server didn't find an entry in the ldapdb.
add --random-key host/elprinsessekaja.mail2.bergfald.no
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin: kadm5_create_principal: Unknown error 36150281
kadmin: kadm5_randkey_principal: Principal does not exist
kadmin: adding host/elprinsessekaja.mail2.bergfald.no: Principal does not exist
kadmin> add --random-Segmentation faultja.mail2.bergfald.no
A bit of searching in the ldaplogs gave me the answer:
ay 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 ADD dn="krb5PrincipalName=host/elprinsessekaja.mail2.bergfald.no@NU.NO,o=nu,c=no"
May 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 RESULT tag=105 err=65 text=no structural object class provided
Again, bit by the schemabug :-/. I modify my slapd.conf file to get the show on the road again.
Then , when I try
kadmin> ext host/elprinsessekaja.mail2.bergfald.no I get:
kadmin: krb5_kt_add_entry: End of credential cache reached
it seems that the kdc tries to search the ldapdatabase with the following as base:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>From the log:
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" scope=2 filter="(objectClass=krb5Principal)"
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH attr=cn createTimestamp creatorsName krb5PrincipalName krb5PrincipalRealm modifiersName modifyTimestamp objectClass uid
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 RESULT tag=101 err=32 text=
OpenLDAP gives the errorcode 32, i.e. no such object.
You also need to add the following to your slapd.conf's sasl section:
sasl-realm NU.NO
sasl-host elprinsessekaja.mail2.bergfald.no
sasl-authz-policy both
sasl-regexp
uid=(.+),cn=NU.NO,cn=gssapi,cn=auth
uid=$1,ou=People,o=nu,c=no
Links:
http://www.padl.com/Research/Heimdal.html
http://marc.theaimsgroup.com/?l=samba-technical&m=107748396331431&w=2
http://www.bayour.com/
http://www.openldap.org/doc/admin21/
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7
/var/heimdal/kdc.conf:
[libdefaults]
default_realm = NU.NO
clockskew = 300
# Set this to false to disable MIT krb5 compatibility
# in GSSAPI get_mic/verify_mic, and become compatible
# with older Heimdal releases instead.
gss_mit_compat = true
[realms]
NU.NO = {
kdc = 127.0.0.1
default_domain=nu.no
admin_server = 127.0.0.1
}
[domain_realm]
.nu.no = NU.NO
[logging]
default = SYSLOG:NOTICE:DAEMON
[kdc]
database = {
dbname = ldap:o=nu,c=no
hdb-ldap-structural-object = sambaDomainName=NU-TEST,o=nu,c=no
mkey_file = /var/heimdal/mkey
}