Fedora directory users - Jul 2007 - FDS, Kerberos, SASL confusion

Hi all,

currently I''m battling with FDS, Kerberos and SASL to get a working
Single-Sign-On setup.

At the moment I have a working Kerberos Realm to which I can
successfully connect. I also have a working FDS with one user for
testing purposes. Saslauthd is also configured and executing
testsaslauthd is ok.

But now I have problems to convince FDS to authenticate users via
Kerberos. I have read
http://directory.fedoraproject.org/wiki/Howto:Kerberos and
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165
but I don''t think it''s that simple. At least it''s not
yet working for
me. 

When I try to bind to FDS via GSSAPI the following error occurs:

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bsmith@AFB.LAN

#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v 
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (Permission denied)

I have tried several combinations of config files and password entries
but none worked.

So first of all I''d like to ask a few questions to shed light on a few
things:

1. Do I need saslauthd on every client which I want to authenticate via
FDS/Kerberos?

2. Do I need a host principal for every client?


Here is my current configuration, please correct me if there are some
unneeded files (these were built together from several tutorials):

/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AFB.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 AFB.LAN = {
  kdc = vafbkrb01.afb.lan:88
  admin_server = vafbkrb01.afb.lan:749
  default_domain = afb.lan
 }

[domain_realm]
 .afb.lan = AFB.LAN
 afb.lan = AFB.LAN

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


/etc/ldap.conf

host 172.16.50.2
base dc=afb,dc=lan
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
SASL_MECH GSSAPI
SASL_REALM AFB.LAN
use_sasl on
sasl_auth_id ldap/vafbds01.afb.lan

/etc/sysconfig/saslauthd

SOCKETDIR=/var/run/saslauthd
MECH=kerberos5
FLAGS
/usr/lib/sasl2/slapd.conf

mech_list: plain gssapi digest-md5 cram-md5 external
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab

SASL Mapping:
nssaslmapfiltertemplate: (uid=\1)
nssaslmapregexstring: \(.*\)@\(.*\)

/opt/fedora-ds/slapd-vafbds01/start-slapd contains:
"export KRB5_KTNAME=/etc/krb5.keytab"

The password entry for bsmith in FDS contains:
{SASL}bsmith@AFB.LAN

FDS supports the following SASLMechanisms

#ldapsearch -x -D "uid=bsmith,ou=People,dc=afb,dc=lan" -b ""
-s base
supportedSASLMechanisms 

# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms 
#

#
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

DNS (forward & reverse) as well as NTP settings are correct on all
hosts.

Are there any obvious mistakes in my configuration or am I on the right
track?

Thanks in advance!

Best regards,

Johannes Hintermayer

Hintermayer Johannes wrote:
> Hi all,
> 
> currently I''m battling with FDS, Kerberos and SASL to get a
working
> Single-Sign-On setup.
> 
> At the moment I have a working Kerberos Realm to which I can
> successfully connect. I also have a working FDS with one user for
> testing purposes. Saslauthd is also configured and executing
> testsaslauthd is ok.
> 
> But now I have problems to convince FDS to authenticate users via
> Kerberos. I have read
> http://directory.fedoraproject.org/wiki/Howto:Kerberos and
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165
> but I don''t think it''s that simple. At least
it''s not yet working for
> me. 
> 
> When I try to bind to FDS via GSSAPI the following error occurs:
> 
> #klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: bsmith@AFB.LAN
> 
> #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v 
> ldap_initialize( <DEFAULT> )
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (Permission denied)
Does the user that FDS runs as have read access to your keytab, 
/etc/krb5.keytab?

rob

Hintermayer Johannes wrote:
> 
> #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v 
> ldap_initialize( <DEFAULT> )
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> Miscellaneous failure (Permission denied)
I see that having fixed your permissions, that error is now "SASL(-14): 
authorization failure:".  Is there any more information in the error logs?
> I have tried several combinations of config files and password entries
> but none worked.
As far as I know, the userpassword contents are evaluated by OpenLDAP, 
but not by Fedora DS.  That attributes contents shouldn''t make any 
difference when you''re using GSSAPI authentication.  You can delete the
attribute if you''re not storing an actual password.
> 1. Do I need saslauthd on every client which I want to authenticate via
> FDS/Kerberos?
No.  You don''t need to configure it on the server, either.
> 2. Do I need a host principal for every client?
No.  You don''t even need one on the server for authenticating LDAP 
connections.
> Here is my current configuration, please correct me if there are some
> unneeded files (these were built together from several tutorials):
> 
> /etc/krb5.conf
That looks fine.
> /etc/ldap.conf
> 
> host 172.16.50.2
> base dc=afb,dc=lan
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
> SASL_MECH GSSAPI
> SASL_REALM AFB.LAN
> use_sasl on
> sasl_auth_id ldap/vafbds01.afb.lan
I''m not sure how much of the SASL stuff is required.  I don''t
have any
of it in my own configs.  Try commenting all of the SASL related lines, 
and see if anything changes.
> /etc/sysconfig/saslauthd
You don''t need saslauthd.
> /usr/lib/sasl2/slapd.conf
...nor do you need this.
> SASL Mapping:
> nssaslmapfiltertemplate: (uid=\1)
> nssaslmapregexstring: \(.*\)@\(.*\)
Under what DN are you storing that?  Have you tried without the
''\''
characters in nssaslmapregexstring?  The Howto disagrees with the manual 
about this... I don''t use ''\'' characters in my
working configuration.
> /opt/fedora-ds/slapd-vafbds01/start-slapd contains:
> "export KRB5_KTNAME=/etc/krb5.keytab"
In order to protect your host keytab, you should store the LDAP
server''s
keytab in a different file.  The host keytab should be readable only by 
root.