[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authenticating against windows servers using SASL

At the moment I am work on an LDAP proof of concept.  This is on
OpenLDAP Version: 2.1.30-3 running on Debian unstable.

Since I am unable to get at the original user passwords, I would like to
compare them against our Windows infrastructure which does have access
to them.  Something like:

	Each ldap record has a "userPassword: {sasl}st81418@internal.domain.org
	LDAP server -> SASL libraries -> Kerberos -> Windows 2003 servers

I am having some problems with Kerberos, using the SASL libraries to
authenticate against Active Directory.

Here's what works:

kinit: reads /etc/krb5.conf fine and will get a ticket from Windows.
klist: shows the ticket

and what fails:

testsaslauthd -u mywindowsusername -p mypasswordhere
0: NO "authentication failed"

When I do a tcpdump of the testsaslauthd, I receive a Kerberos error 7: KRB5KDC_ERR_S_PRINCIPLE_UNKNOWN 

Do I need to setup anything on the windows servers to be able to compare
usernames and passwords against them?

Here's some of the details about my config if anyone can help.

saslauthd is running with:

	/usr/sbin/saslauthd -r -a kerberos5




 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 default_realm = INTERNAL.DOMAIN.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5
 forwardable = true

  kdc = gvw001.internal.domain.org:88
  admin_server = gvw001.internal.domain.org:749
  kpasswd_server = gvw001.internal.domain.org:464
  default_domain = internal.domain.org
  master_key_type = des3-hmac-sha1
  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des3-hmac-sha1:norealm des3-hmac-sha1:onlyrealm
  default_principal_flags = +preauth, +tgt-based

 .domain.org = INTERNAL.DOMAIN.ORG
 .internal.domain.org = INTERNAL.DOMAIN.ORG
 .somethingelse.internal.domain.org = INTERNAL.DOMAIN.ORG

 profile = /etc/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false


Simon Tennant ________________ http://imaginator.com/~simon/contact

Attachment: signature.asc
Description: Digital signature