[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticating against windows servers using SASL

To: Simon Tennant <simon@imaginator.com>
Subject: Re: Authenticating against windows servers using SASL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 27 Jan 2005 08:16:27 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20050127132828.GA5850@imaginator.com>
References: <20050127132828.GA5850@imaginator.com>

At 05:28 AM 1/27/2005, Simon Tennant wrote:
>At the moment I am work on an LDAP proof of concept.  This is on
>OpenLDAP Version: 2.1.30-3 running on Debian unstable.

2.1 is Historic.  You should consider upgrading to 2.2.

I note that the failures you have below have little to do
with OpenLDAP Software, but with underlying software supporting
this authentication.  You should resolve the underlying problems
before attempting to get OpenLDAP Software to work.

>Since I am unable to get at the original user passwords, I would like to
>compare them against our Windows infrastructure which does have access
>to them.  Something like:
>
>        Each ldap record has a "userPassword: {sasl}st81418@internal.domain.org
>        LDAP server -> SASL libraries -> Kerberos -> Windows 2003 servers
>
>I am having some problems with Kerberos, using the SASL libraries to
>authenticate against Active Directory.
>
>Here's what works:
>
>kinit: reads /etc/krb5.conf fine and will get a ticket from Windows.
>klist: shows the ticket
>
>and what fails:
>
>testsaslauthd -u mywindowsusername -p mypasswordhere
>0: NO "authentication failed"

You should get this working first.  Use the Cyrus SASL mailing
list for support as needed.

>When I do a tcpdump of the testsaslauthd, I receive a Kerberos error 7: KRB5KDC_ERR_S_PRINCIPLE_UNKNOWN 

Likely before you try to get Cyrus SASL working, you should
try to get Kerberos working.  Use a list supporting your
Kerberos implementation for support.


>Do I need to setup anything on the windows servers to be able to compare
>usernames and passwords against them?

You should direct that question to a Microsoft forum.

>Here's some of the details about my config if anyone can help.
>
>saslauthd is running with:
>
>        /usr/sbin/saslauthd -r -a kerberos5
>
>/usr/lib/sasl2/slapd.conf
>
>        pwcheck_method:saslauthd
>        saslauthd_path:/var/run/saslauthd/mux
>
>/etc/krb5.conf
>
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
> ticket_lifetime = 24000
> default_realm = INTERNAL.DOMAIN.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_tkt_enctypes = des-cbc-md5
> default_tgs_enctypes = des-cbc-md5
> forwardable = true
>
>[realms]
> INTERNAL.DOMAIN.ORG = {
>  kdc = gvw001.internal.domain.org:88
>  admin_server = gvw001.internal.domain.org:749
>  kpasswd_server = gvw001.internal.domain.org:464
>  default_domain = internal.domain.org
>  master_key_type = des3-hmac-sha1
>  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des3-hmac-sha1:norealm des3-hmac-sha1:onlyrealm
>  default_principal_flags = +preauth, +tgt-based
>}
>
>[domain_realm]
> .domain.org = INTERNAL.DOMAIN.ORG
> .internal.domain.org = INTERNAL.DOMAIN.ORG
> .somethingelse.internal.domain.org = INTERNAL.DOMAIN.ORG
>
>[kdc]
> profile = /etc/krb5kdc/kdc.conf
>
>[appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
>
>Simon.
>
>-- 
>Simon Tennant ________________ http://imaginator.com/~simon/contact

References:
- Authenticating against windows servers using SASL
  - From: Simon Tennant <simon@imaginator.com>

Prev by Date: access to ou SUDOers ?
Next by Date: Re: syncrepl refreshAndPersist problem when master not available
Index(es):
- Chronological
- Thread