[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd + gssapi/heimdal: using false realm in principal

Hello,

I struggle with an Debian GNU/Linux (Lenny) and

* slapd 2.4.11-1
* heimdal-kdc 1.2.dfsg.1-2.1
* libsasl2-modules-gssapi-heimdal 2.1.22.dfsg1-23

With this configuration:

/etc/ldap/slapd.conf:
# Kerberos Configuration
sasl-host       kerberos.lab.swapon.de
sasl-realm      LAB.SWAPON.DE

# Mapping Kerberos Authentication Identities
authz-regexp
        uid=([^,]*),cn=lab.swapon.de,cn=gssapi,cn=auth
        ldap:///ou=people,dc=lab,dc=swapon,dc=de??one?(&(uid=$1)(objectClass=person))

/etc/ldap/sasl2/slapd.conf:
mech_list:      GSSAPI
log_level:      7

Then I get a kerberos ticket and start ldapsaerch:

$ ldapsearch -H ldaps://ldap.lab.swapon.de/
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)

The slapd logfile isn't very helpfull:

slapd[11480]: conn=2 fd=14 ACCEPT from IP=[2001:6f8:12ec:11::389:fefe]:60487 (IP=[2001:6f8:12ec:11::389:fefe]:636)
slapd[11480]: conn=2 fd=14 TLS established tls_ssf=128 ssf=128
slapd[11480]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
slapd[11480]: conn=2 op=0 SRCH attr=supportedSASLMechanisms
slapd[11480]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[11480]: conn=2 op=1 BIND dn="" method=163
slapd[11480]: SASL [conn=2] Failure: GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
slapd[11480]: conn=2 op=1 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
slapd[11480]: conn=2 fd=14 closed (connection lost)

The KDCs logfile is more interesting:

Authentication Server Request from slapd (successfull):
14:37:13 AS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB.SWAPON.DE@LAB.SWAPON.DE
14:37:13 Client sent patypes: encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp
14:37:13 Looking for PKINIT pa-data -- host/reliant.lab.swapon.de@LAB.SWAPON.DE
14:37:13 Looking for ENC-TS pa-data -- host/reliant.lab.swapon.de@LAB.SWAPON.DE
14:37:13 ENC-TS Pre-authentication succeeded -- host/reliant.lab.swapon.de@LAB.SWAPON.DE using aes256-cts-hmac-sha1-96
14:37:13 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
14:37:13 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
14:37:13 AS-REQ authtime: 2009-04-27T14:37:13 starttime: unset endtime: 2009-04-28T00:37:13 renew till: unset
14:37:13 sending 670 bytes to IPv6:2001:6f8:12ec:11::88:fefe

Ticket Granting Server Request from slapd (fails):
14:37:13 TGS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for digest/LAB@LAB.SWAPON.DE [canonicalize]
14:37:13 Searching referral for LAB
14:37:13 Server not found in database: digest/LAB@LAB.SWAPON.DE: No such entry in the database
14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 TGS-REQ host/reliant.lab.swapon.de@LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB@LAB.SWAPON.DE
14:37:13 Server not found in database: krbtgt/LAB@LAB.SWAPON.DE: No such entry in the database
14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe

It's clear that this TGS-REQ is failing: the realm "LAB" in the principal
"krbtgt/LAB@LAB.SWAPON.DE" doesn't exist. Correct would be:
"krbtgt/LAB.SWAPON.DE@LAB.SWAPON.DE".

At present I have no clue how to fix this. Good ideas would be
appreciated.

Regards
Friedemann