MJD Shop Account
2007-Jul-25 19:11 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
>#klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: bsmith@AFB.LAN > >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -vNo credentials?? or did you just edit out the result of klist? You should see at the very least a ticket-granting ticket>2. Do I need a host principal for every client? >This I am pretty sure is a ''yes you do'' -Marty
Hintermayer Johannes
2007-Jul-26 06:44 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
Hi Marty and Rob,
thanks for your answers.
The FDS user indeed wasn''t able to access /etc/krb5.keytab. After I
changed that, the error message changed to:
[root@vafbds01 ~]# ldapsearch -Y GSSAPI -D
"uid=bsmith,ou=People,dc=afb,dc=lan" -v
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-14): authorization failure:
My klist is as follows:
[root@vafbds01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bsmith@AFB.LAN
Valid starting Expires Service principal
07/26/07 08:35:05 07/27/07 08:33:33 krbtgt/AFB.LAN@AFB.LAN
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
After that it changes to
[root@vafbds01 tmp]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bsmith@AFB.LAN
Valid starting Expires Service principal
07/26/07 08:41:36 07/27/07 08:39:33 krbtgt/AFB.LAN@AFB.LAN
07/26/07 08:41:40 07/27/07 08:39:33 ldap/vafbds01.afb.lan@AFB.LAN
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
So, at least I do get a ticket for ldap.
When I run "kinit bsmith" I get the following log message on my
Kerberos
Server:
Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16},
bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN
Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16},
bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN
When I run "testsaslauthd -s ldap -u bsmith -p letmein" I see the
following log entries:
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
bsmith@AFB.LAN for krbtgt/AFB.LAN@AFB.LAN
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
bsmith@AFB.LAN for host/vafbds01.afb.lan@AFB.LAN
Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1
3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16},
bsmith@AFB.LAN for host/vafbds01.afb.lan@AFB.LAN
How do I have to set the password for the user bsmith in FDS?
The current setting is: {SASL}bmsith@AFB.LAN
Is that correct?
Regards,
Johannes Hintermayer
On Wed, 2007-07-25 at 15:11 -0400, MJD Shop Account
wrote:>
> >#klist
> >Ticket cache: FILE:/tmp/krb5cc_0
> >Default principal: bsmith@AFB.LAN
> >
> >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan"
-v
>
> No credentials?? or did you just edit out the result of klist? You should
see at the very least a ticket-granting ticket
>
> >2. Do I need a host principal for every client?
> >
>
> This I am pretty sure is a ''yes you do''
>
>
> -Marty
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rob Crittenden
2007-Jul-26 12:43 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
Hintermayer Johannes wrote:> Hi Marty and Rob, > > thanks for your answers. > > The FDS user indeed wasn''t able to access /etc/krb5.keytab. After I > changed that, the error message changed to: > > [root@vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > ldap_initialize( <DEFAULT> ) > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-14): authorization failure: > >Have you seen this: http://directory.fedoraproject.org/wiki/Howto:Kerberos rob
Hintermayer Johannes
2007-Jul-26 13:04 UTC
Re: [Fedora-directory-users] FDS, Kerberos, SASL confusion
Hi Rob, yes,I did follow this one and do have a SASL mapping. Is that really anything I need? What about the configuration of saslauthd? For now I have the following configuration: /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=kerberos5 FLAGS /usr/lib/sasl2/slapd.conf mech_list: plain gssapi digest-md5 cram-md5 external pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab SASL Mapping: nssaslmapfiltertemplate: (uid=\1) nssaslmapregexstring: \(.*\)@\(.*\) Regards, Johannes Hintermayer On Thu, 2007-07-26 at 08:43 -0400, Rob Crittenden wrote:> Hintermayer Johannes wrote: > > Hi Marty and Rob, > > > > thanks for your answers. > > > > The FDS user indeed wasn''t able to access /etc/krb5.keytab. After I > > changed that, the error message changed to: > > > > [root@vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > > ldap_initialize( <DEFAULT> ) > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > additional info: SASL(-14): authorization failure: > > > > > > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:Kerberos > > rob > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users