[Date Prev][Date Next] [Chronological] [Thread] [Top]
SASL/GSSAPI not working

To: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Subject: SASL/GSSAPI not working
From: Digant Kasundra <digant@uta.edu>
Date: Tue, 23 Mar 2004 18:19:49 -0600
I am getting an invalid credentials error when doing an ldapwhoami after
getting a kerberos ticket.  Here is my setup:

OpenLDAP 2.2.6 compiled against Heimdal 0.6 with Cyrus-SASL 2.1.18 running
on Red Hat Enterprise Linux AS 3.0

The KDC is MIT Kerberos 1.3.2 also running on RHEL AS 3.0.


I have a principal called digant@KERB.UTA.EDU and principal for my ldap
server (ldap/omicron.kerb.uta.edu@KERB.UTA.EDU).  I can use kinit to get
tickets for both (using password for digant and the keytab file for the
ldap/omicron*).

But, when I get a ticket for digant and then use ldapwhoami, I am getting an
error "Invalid credentials (49).  

Here are the goodies from my slapd.conf file:

access to dn="" by * read
access to *
        by self write
        by users read
        by anonymous auth
 
database        bdb
suffix          "dc=uta,dc=edu"
rootdn          "cn=Root,dc=uta,dc=edu"
rootpw          {SSHA} (deleted)
 
sasl-secprops none
sasl-realm "KERB.UTA.EDU"
sasl-host labrador.uta.edu
sasl-regexp uid=(.*),cn=KERB.UTA.EDU,cn=gssapi,cn=auth
ldaps:///uid=$1,cn=people,dc=uta,dc=edu

Here is what "ktutil list" tells me:
FILE:/etc/sysconfig/krb5.keytab:
 
Vno  Type         Principal                               Key
  3  des-cbc-crc  ldap/omicron.kerb.uta.edu@KERB.UTA.EDU  ad80fd80b651496b


This is what the krb5kdc.log shows when I get my tickets:
Mar 23 18:02:22 labrador.uta.edu krb5kdc[11571](info): AS_REQ (6 etypes {16
5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080086542, etypes {rep=3 tkt=1
ses=2}, digant@KERB.UTA.EDU for krbtgt/KERB.UTA.EDU@KERB.UTA.EDU
Mar 23 18:02:26 labrador.uta.edu krb5kdc[11571](info): TGS_REQ (6 etypes {16
5 23 3 2 1}) 129.107.56.202: ISSUE: authtime 1080086542, etypes {rep=2 tkt=1
ses=2}, digant@KERB.UTA.EDU for ldap/omicron.kerb.uta.edu@KERB.UTA.EDU


This is what "klist -v" tells me when I have got my tickets:
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: digant@KERB.UTA.EDU
    Cache version: 4
 
Server: krbtgt/KERB.UTA.EDU@KERB.UTA.EDU
Ticket etype: des-cbc-crc, kvno 1
Session key: des-cbc-md4
Auth time:  Mar 23 18:02:22 2004
End time:   Mar 24 00:40:47 2004
Ticket flags: initial
Addresses: IPv4:129.107.56.202
 
Server: ldap/omicron.kerb.uta.edu@KERB.UTA.EDU
Ticket etype: des-cbc-crc, kvno 3
Session key: des-cbc-md4
Auth time:  Mar 23 18:02:22 2004
Start time: Mar 23 18:02:26 2004
End time:   Mar 24 00:40:47 2004
Ticket flags: transited-policy-checked
Addresses: IPv4:129.107.56.202


And finally, this is my dump from slapd -d -1:
ldap_int_sasl_bind: LOGIN GSSAPI ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5
ldap_int_sasl_open: host=omicron.kerb.uta.edu
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 533 bytes to sd 3
ldap_write: want=533, written=533
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Mar 23 18:03:32 2004
 
** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 55 02 01 02 61 50 0a                            0U...aP.
ldap_read: want=79, got=79
  0000:  01 31 04 00 04 49 53 41  53 4c 28 2d 31 33 29 3a   .1...ISASL(-13):
  0010:  20 61 75 74 68 65 6e 74  69 63 61 74 69 6f 6e 20    authentication
  0020:  66 61 69 6c 75 72 65 3a  20 47 53 53 41 50 49 20   failure: GSSAPI
  0030:  46 61 69 6c 75 72 65 3a  20 67 73 73 5f 61 63 63   Failure: gss_acc
  0040:  65 70 74 5f 73 65 63 5f  63 6f 6e 74 65 78 74      ept_sec_context
ber_get_next: tag 0x30 len 85 contents:
ber_dump: buf=0x080565a8 ptr=0x080565a8 end=0x080565fd len=85
  0000:  02 01 02 61 50 0a 01 31  04 00 04 49 53 41 53 4c   ...aP..1...ISASL
  0010:  28 2d 31 33 29 3a 20 61  75 74 68 65 6e 74 69 63   (-13): authentic
  0020:  61 74 69 6f 6e 20 66 61  69 6c 75 72 65 3a 20 47   ation failure: G
  0030:  53 53 41 50 49 20 46 61  69 6c 75 72 65 3a 20 67   SSAPI Failure: g
  0040:  73 73 5f 61 63 63 65 70  74 5f 73 65 63 5f 63 6f   ss_accept_sec_co
  0050:  6e 74 65 78 74                                     ntext
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
  0000:  61 50 0a 01 31 04 00 04  49 53 41 53 4c 28 2d 31   aP..1...ISASL(-1
  0010:  33 29 3a 20 61 75 74 68  65 6e 74 69 63 61 74 69   3): authenticati
  0020:  6f 6e 20 66 61 69 6c 75  72 65 3a 20 47 53 53 41   on failure: GSSA
  0030:  50 49 20 46 61 69 6c 75  72 65 3a 20 67 73 73 5f   PI Failure: gss_
  0040:  61 63 63 65 70 74 5f 73  65 63 5f 63 6f 6e 74 65   accept_sec_conte
  0050:  78 74                                              xt
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
  0000:  61 50 0a 01 31 04 00 04  49 53 41 53 4c 28 2d 31   aP..1...ISASL(-1
  0010:  33 29 3a 20 61 75 74 68  65 6e 74 69 63 61 74 69   3): authenticati
   0020:  61 74 69 6f 6e 20 66 61  69 6c 75 72 65 3a 20 47   ation failure:
G
  0030:  53 53 41 50 49 20 46 61  69 6c 75 72 65 3a 20 67   SSAPI Failure: g
  0040:  73 73 5f 61 63 63 65 70  74 5f 73 65 63 5f 63 6f   ss_accept_sec_co
  0050:  6e 74 65 78 74                                     ntext
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
  0000:  61 50 0a 01 31 04 00 04  49 53 41 53 4c 28 2d 31   aP..1...ISASL(-1
  0010:  33 29 3a 20 61 75 74 68  65 6e 74 69 63 61 74 69   3): authenticati
  0020:  6f 6e 20 66 61 69 6c 75  72 65 3a 20 47 53 53 41   on failure: GSSA
  0030:  50 49 20 46 61 69 6c 75  72 65 3a 20 67 73 73 5f   PI Failure: gss_
  0040:  61 63 63 65 70 74 5f 73  65 63 5f 63 6f 6e 74 65   accept_sec_conte
  0050:  78 74                                              xt
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080565a8 ptr=0x080565ab end=0x080565fd len=82
  0000:  61 50 0a 01 31 04 00 04  49 53 41 53 4c 28 2d 31   aP..1...ISASL(-1
  0010:  33 29 3a 20 61 75 74 68  65 6e 74 69 63 61 74 69   3): authenticati
  0020:  6f 6e 20 66 61 69 6c 75  72 65 3a 20 47 53 53 41   on failure: GSSA
  0030:  50 49 20 46 61 69 6c 75  72 65 3a 20 67 73 73 5f   PI Failure: gss_
  0040:  61 63 63 65 70 74 5f 73  65 63 5f 63 6f 6e 74 65   accept_sec_conte
  0050:  78 74                                              xt
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context



Any ideas?
Follow-Ups:
- Re: SASL/GSSAPI not working
  - From: Donn Cave <donn@u.washington.edu>
Prev by Date: RE: Security and bind_anonymous_dn
Next by Date: multiple samba domains and ldap
Index(es):
- Chronological
- Thread