[Date Prev][Date Next] [Chronological] [Thread] [Top]

krb5 auth problems

I have an openLDAP 2.1.12 server running on a Sun Solaris 8 system configured with following packages:

krb5 v1.2.7
cyrus-sasl v2.1.10
openssl 0.9.6h

When I'm on the server ldapsearch, etc work fine. I still a couple of config problems somewhere because I can't get it to pull user info from LDAP, but that's another problem....

The current point of confusion deals with the concept of 'proxyuser' and 'binddn'. I have a RedHat 8.0 test client where I'm trying to set it up to get account info from the LDAP server. I have kerberos working fine. I can kinit as a user in the krb realm (and not local on the system) and I can get an ldap ticket in addition to the krbtgt ticket. What I can't do is login to the system as the user in LDAP. Here's the messages output when I try and login:

Feb 19 19:29:12 jag gdm[946]: nss_ldap: reconnecting to LDAP server...
Feb 19 19:29:12 jag gdm[946]: nss_ldap: reconnected to LDAP server after 1 attempt(s)
Feb 19 19:29:14 jag gdm(pam_unix)[946]: check pass; user unknown
Feb 19 19:29:14 jag gdm(pam_unix)[946]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
Feb 19 19:29:14 jag gdm-binary[946]: pam_krb5: unable to determine uid/gid for user
Feb 19 19:29:14 jag gdm-binary[946]: pam_krb5: authentication fails for `mauzy'
Feb 19 19:29:14 jag gdm-binary[946]: pam_ldap: error trying to bind as user "uid=mauzy,ou=People,dc=amath,dc=unc,dc=edu" (Invalid credentials)
Feb 19 19:29:16 jag gdm-binary[946]: Couldn't authenticate user

The DN listed above is valid and exists in LDAP. Is this a problem because I don't have the binddn and ldap.secret entries? What's the point of having KRB5 encryption if I have a clear text password sitting on the system?

My ldif file for my user account looks like:
		dn: uid=mauzy,ou=People,dc=amath,dc=unc,dc=edu
		uid: mauzy
		cn: Matthew Mauzy
		givenname: Matthew
		sn: Mauzy
		mail: mauzy@amath.unc.edu
		objectClass: person
		objectClass: organizationalPerson
		objectClass: inetOrgPerson
		objectClass: posixAccount
		objectClass: top
		objectClass: krb5Principal
		userPassword: {kerberos} mauzy@AMATH.UNC.EDU
		krb5PrincipalName: mauzy@AMATH.UNC.EDU
		loginShell: /usr/local/bin/tcsh
		homeDirectory: /home/mauzy

Am I missing other krb relevent info?

Second problem (and I assume related). When on the redhat client ldapsearch's fail with the following error:

[root]# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials
additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

Doing simple binds with the '-x' flag work fine. I thought it was a certificate problem with ssl/tls but I think I've ruled that out.


                       Matthew W. Mauzy
                     Systems Administrator
                     Applied Math @ UNC-CH
email : mauzy@amath.unc.edu           pager : mpager@amath.unc.edu
(W) 919.962.9819   www.amath.unc.edu/~mauzy/   (P) 919.347.0390