[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL added principles to Kerberos cache but returned error.

Hi,

I just tested SASL 2.1.18, change the host and service name to be the same name during the testing of the sample client and server, it actually added the new principles to the kerberos cache (running Heimdal Kerberos 5, the latest version as I downloaded today).
The klist shown the following new principles had been added to the kerberos cache:

root@fbsd [7:26pm] [...cyrus-sasl-2.1.18/sample]# klist
Credentials cache: FILE:/tmp/krb5cc_0
      Principal: sam@ROCK.COM

Issued Expires Principal Jun 3 17:17:53 Jun 3 23:57:53 krbtgt/ROCK.COM@ROCK.COM Jun 3 17:18:53 Jun 3 23:57:53 host/fbsd.rock.com@ROCK.COM
Jun 3 18:46:25 Jun 3 23:57:53 root/fbsd.rock.com@ROCK.COM
Jun 3 19:15:24 Jun 3 23:57:53 sam/fbsd.rock.com@ROCK.COM

The last three Principals were added during the test of sample client and server in Cyrul-sasl 2.1.18.
But but the test still returned error such as:
lt-sample-client: SASL Other: GSSAPI Error: A token was invalid (Unknown error: 0)
lt-sample-client: Performing SASL negotiation: generic failure

What should I do to fix this problem? I m afraid this will bring in other problem when I further configure OpenLdap.

Thanks
sam


The Shell wrote:

Hi,

I finally got GSSAPI compiled with SASL, but error occured when testing the sample client and server.
The klist command of Heimdal Kerberos 5 shown the following priciples:
root@fbsd [5:13pm] [...cyrus-sasl-2.1.18/sample]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: sam@ROCK.COM
Issued Expires Principal Jun 3 17:17:53 Jun 3 23:57:53 krbtgt/ROCK.COM@ROCK.COM Jun 3 17:18:53 Jun 3 23:57:53 host/fbsd.rock.com@ROCK.COM
root@fbsd [5:31pm] [...cyrus-sasl-2.1.18/sample]#

Message from the sample server::
./sample-server -s host -p ../plugins/.libs
.......
got 'GSSAPI'
Sending response...
S: YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREAEQM3hY7ovvFlIeYJwJOZzxv+NwWaQnhoHi6007SbsVDMiJfeHZpYU/PHelUTE6CwS46H8N10ObrvAAwKDzXXb2nIh0= 

Waiting for client reply...
^C
root@fbsd [5:22pm] [...cyrus-sasl-2.1.18/sample]#

Message from sample client:
./sample-client -s host -n fbsd.rock.com -u root -p ../plugins/.libs
.....
C:
Waiting for server reply...
S: YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREAEQM3hY7ovvFlIeYJwJOZzxv+NwWaQnhoHi6007SbsVDMiJfeHZpYU/PHelUTE6CwS46H8N10ObrvAAwKDzXXb2nIh0=

recieved 110 byte message
lt-sample-client: SASL Other: GSSAPI Error: A token was invalid (Unknown error: 0)
lt-sample-client: Performing SASL negotiation: generic failure
root@fbsd [5:21pm] [...cyrus-sasl-2.1.18/sample]#

I m using the latest version of Cyrus-sasl, Heimdal Kerberos in FreeBSD 5.2.1
thanks
sam





eBSD4.9, the slave is openldap-2.1.22 on RH-7.3.

So, it looks like the master is sending ldifs via slurpd to the slave, and the slave is refusing to make the modifications, possibly due to a hardcoded schema.


The slurpd reject file looks like this:

ERROR: entryCSN: no user modification allowed
replica: ldap:0
time: 1086269077.0
dn: uid=myuser,ou=radius,dc=mydomain,dc=com
changetype: modify
replace: userPassword
userPassword:: ********
-
replace: entryCSN
entryCSN: 2004060313:24:37Z#0x0001#0#0000
-
replace: modifiersName
modifiersName: uid=myadmin,dc=mydomain,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20040603132437Z


slurpd shows:

Initializing session to ldap:0
bind to ldap:0 as uid=myadmin,dc=mydomain,dc=com (simple)
request 1 done
replica ldap:0 - modify dn "uid=myuser,ou=radius,dc=mydomain,dc=com"
request 2 done
Error: ldap_modify_s failed modifying "entryCSN: no user modification allowed": uid=myuser,ou=radius,dc=domain,dc=com
Error: ldap operation failed, data written to "/var/db/openldap-slurp/replica/ldap:0.rej"



Have I missed something?  Is it obvious what's wrong?

Thanks,

Gavin