[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenLDAP / SASL / Heimdal

Andreas Haupt wrote:

>Am Montag, 7. Juni 2004 13:02 schrieb sam:
>  
>
>>Andreas Haupt wrote:
>>    
>>
>>>Hello,
>>>
>>>I'm trying to setup OpenLDAP with SASL2 and Heimdal. When trying to
>>>authenticate I get the following error in the log files:
>>>
>>>2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
>>>dice.hmi.de@HMI.DE
>>>2004-06-07T11:43:01 TGS-REQ blh@HMI.DE from IPv4:134.30.5.92 for ldap/
>>>dice.hmi.de@HMI.DE
>>>2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
>>>request
>>>2004-06-07T11:43:01 Decoding transited encoding: KDC policy rejects
>>>request
>>>2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>>>2004-06-07T11:43:01 sending 115 bytes to IPv4:134.30.5.92
>>>
>>>I don't have a clue what this means and how I can avoid the problem...
>>>Heimdal server is version 0.6 (SuSE 9.0).
>>>
>>>Greetings
>>>Andreas
>>>      
>>>
>>As root, execute command "ktutil list" to see whether you have
>>ldap/dice.hmi.de@HMI.DE.
>>and add user blh use kadmin. Then su - blh, and kinit, then try again.
>>    
>>
>
>dice:~ # ktutil list
>FILE:/etc/krb5.keytab:
>
>Vno  Type           Principal              
>  1  des-cbc-crc    host/dice.hmi.de@HMI.DE
>  1  des-cbc-md4    host/dice.hmi.de@HMI.DE
>  1  des-cbc-md5    host/dice.hmi.de@HMI.DE
>  1  des3-cbc-sha1  host/dice.hmi.de@HMI.DE
>  1  des-cbc-crc    ldap/dice.hmi.de@HMI.DE
>  1  des-cbc-md4    ldap/dice.hmi.de@HMI.DE
>  1  des-cbc-md5    ldap/dice.hmi.de@HMI.DE
>  1  des3-cbc-sha1  ldap/dice.hmi.de@HMI.DE
>
>krb4:/etc/srvtab:
>
>Vno  Type         Principal              
>  1  des-cbc-md5  host/dice.hmi.de@HMI.DE
>  1  des-cbc-md4  host/dice.hmi.de@HMI.DE
>  1  des-cbc-crc  host/dice.hmi.de@HMI.DE
>  1  des-cbc-md5  ldap/dice.hmi.de@HMI.DE
>  1  des-cbc-md4  ldap/dice.hmi.de@HMI.DE
>  1  des-cbc-crc  ldap/dice.hmi.de@HMI.DE
>dice:~ # ll /etc/krb5.keytab
>-rw-r-----  1 root ldap 498 Jun  4 14:21 /etc/krb5.keytab
>
>blh@dice:~> kinit blh                                          
>blh@HMI.DE's Password: 
>blh@dice:~> klist -v
>Credentials cache: FILE:/tmp/krb5cc_10296
>        Principal: blh@HMI.DE
>    Cache version: 4
>
>Server: krbtgt/HMI.DE@HMI.DE
>Ticket etype: des3-cbc-sha1, kvno 1
>Auth time:  Jun  7 13:07:21 2004
>End time:   Jun  8 14:07:21 2004
>Renew till: Jul  7 13:07:21 2004
>Ticket flags: forwardable, renewable, initial
>Addresses: IPv4:134.30.5.92
>
>blh@dice:~> ldapsearch '(&(objectClass=ipHost)(cn=www.hmi.de))'
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Local error (-2)
>        additional info: SASL(-1): generic failure: GSSAPI Error:  
>Miscellaneous failure (see text) (KDC policy rejects request)
>blh@dice:~> 
>
>I hope this helps. For me everything looks ok... The keytab is readable by 
>the group ldap to let slapd read it (runs with uid/gid ldap).
>
>Greetings
>Andreas
>
>  
>
see if you can execute the followoing ldapsearch command and see if the 
result contains GSSAPI:
<>ldapsearch -x -H ldap://dice.hmi.de/  -b "" -s base -LLL 
supportedSASLMechanisms

Assumed you have populated user root to the ldap database with sldapadd 
and added user root to the krb5.keytab file then try the following command:
ldapwhoami -H ldap://dice.hmi.de/ -D "cn=root,dc=www,dc=hmi,dc=com" -Y 
GSSAPI
the above command probably won't work, try the following command:
ldapwhoami -H ldap://dice.hmi.de/ -D "cn=root,dc=dice,dc=hmi,dc=com" -Y 
GSSAPI

By the way,  have you tested your GSSAPI installed correctly by running 
the sample-client and sample-server under your cyrus-sasl/sample 
directory? That will make sure your sasl installation work with Kerberos 
5 correctly.


sam