MJD Shop Account
2007-Jul-25 19:11 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
>#klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: bsmith@AFB.LAN > >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -vNo credentials?? or did you just edit out the result of klist? You should see at the very least a ticket-granting ticket>2. Do I need a host principal for every client? >This I am pretty sure is a ''yes you do'' -Marty
Hintermayer Johannes
2007-Jul-26 06:44 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
Hi Marty and Rob, thanks for your answers. The FDS user indeed wasn''t able to access /etc/krb5.keytab. After I changed that, the error message changed to: [root@vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v ldap_initialize( <DEFAULT> ) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-14): authorization failure: My klist is as follows: [root@vafbds01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bsmith@AFB.LAN Valid starting Expires Service principal 07/26/07 08:35:05 07/27/07 08:33:33 krbtgt/AFB.LAN@AFB.LAN Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached After that it changes to [root@vafbds01 tmp]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bsmith@AFB.LAN Valid starting Expires Service principal 07/26/07 08:41:36 07/27/07 08:39:33 krbtgt/AFB.LAN@AFB.LAN 07/26/07 08:41:40 07/27/07 08:39:33 ldap/vafbds01.afb.lan@AFB.LAN Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached So, at least I do get a ticket for ldap. When I run "kinit bsmith" I get the following log message on my Kerberos Server: Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16}, bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16}, bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN When I run "testsaslauthd -s ldap -u bsmith -p letmein" I see the following log entries: Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith@AFB.LAN for host/vafbds01.afb.lan@AFB.LAN Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith@AFB.LAN for host/vafbds01.afb.lan@AFB.LAN How do I have to set the password for the user bsmith in FDS? The current setting is: {SASL}bmsith@AFB.LAN Is that correct? Regards, Johannes Hintermayer On Wed, 2007-07-25 at 15:11 -0400, MJD Shop Account wrote:> > >#klist > >Ticket cache: FILE:/tmp/krb5cc_0 > >Default principal: bsmith@AFB.LAN > > > >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > > No credentials?? or did you just edit out the result of klist? You should see at the very least a ticket-granting ticket > > >2. Do I need a host principal for every client? > > > > This I am pretty sure is a ''yes you do'' > > > -Marty > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rob Crittenden
2007-Jul-26 12:43 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
Hintermayer Johannes wrote:> Hi Marty and Rob, > > thanks for your answers. > > The FDS user indeed wasn''t able to access /etc/krb5.keytab. After I > changed that, the error message changed to: > > [root@vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > ldap_initialize( <DEFAULT> ) > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-14): authorization failure: > >Have you seen this: http://directory.fedoraproject.org/wiki/Howto:Kerberos rob
Hintermayer Johannes
2007-Jul-26 13:04 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
Hi Rob, yes,I did follow this one and do have a SASL mapping. Is that really anything I need? What about the configuration of saslauthd? For now I have the following configuration: /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=kerberos5 FLAGS /usr/lib/sasl2/slapd.conf mech_list: plain gssapi digest-md5 cram-md5 external pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab SASL Mapping: nssaslmapfiltertemplate: (uid=\1) nssaslmapregexstring: \(.*\)@\(.*\) Regards, Johannes Hintermayer On Thu, 2007-07-26 at 08:43 -0400, Rob Crittenden wrote:> Hintermayer Johannes wrote: > > Hi Marty and Rob, > > > > thanks for your answers. > > > > The FDS user indeed wasn''t able to access /etc/krb5.keytab. After I > > changed that, the error message changed to: > > > > [root@vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > > ldap_initialize( <DEFAULT> ) > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > additional info: SASL(-14): authorization failure: > > > > > > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:Kerberos > > rob > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users