[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to get passthrough auth working with OpenLDAP and Kerberos



Chastity Blackwell wrote:
On Thu, 2012-01-26 at 18:40 -0500, Howard Chu wrote:
Does kinit work for your chas@KRBTEST user? Judging from what you've pasted
here, I don't think it should. Get your basic Kerberos installation working
first. Take things one step at a time.

It does:

[chas@ldapsandbox log]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Unknown code krb5
195)
[chas@ldapsandbox log]$ kinit chas
Password for chas@KRBTEST:
[chas@ldapsandbox log]$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: chas@KRBTEST
SASL SSF: 56
SASL installing layers
dn:uid=chas,ou=people,dc=test,dc=com
Result: Success (0)
[chas@ldapsandbox log]$

As I said, I think Kerberos and LDAP are all working on their own...it's
the combination of the two doing the SASL passthrough that is
confounding me.

Seems like it's working for the wrong reasons, then. Your krb5.conf:

[libdefaults]
 default_realm = KRBTEST
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 AKTEST = {
  kdc = ldapsandbox.test.com:88
  admin_server = ldapsandbox.test.com:749
  default_domain = test.com
}

[domain_realm]
 .agkn.net = KRBTEST
 agkn.net = KRBTEST

You defined a kdc for an "AKTEST" realm; you don't actually have any kdc defined for the "KRBTEST" realm so kinit should be failing.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/