[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap/Sasl/GSSAPI on Debian: Key table entry not found

To: openldap-technical@openldap.org
Subject: Re: Openldap/Sasl/GSSAPI on Debian: Key table entry not found
From: Toomas Vendelin <toomas.pfx@gmail.com>
Date: Wed, 18 Jan 2012 11:06:45 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=yBwriMDW9vy0x+wqVohg3N/FefUTzvpRy/FqFMZ7zCQ=; b=rmHbTXaSpmJk0RM69LpTdYg0MwLIbreiyV1VvgVRhinIGqbab4GqieeUuxxR9pXJAf +wbdVN7bWmYlZDXCLHApaFAH/3J2qpENtYGgqW1BOKhwJxhtD/1kmI2ju+UEwX4toSOs RbW/lMZ8I67y0pRZykHauSPBfgcrCoiwcPhe4=
In-reply-to: <20120117201620.GD3348@dan.olp.net>
References: <CA+92H_-DJXO4pLJg43PdTb6UCVRPmaW1hRAVrdE2xS=vzDtJhw@mail.gmail.com> <20120117201620.GD3348@dan.olp.net>

Thank you, Dan!

Indeed, setting
olcSaslHost: ldap.example.com

instead of
olcSaslHost: kdc.example.com

solves the issue.

Now, when I look back for what caused me this hiccup, this has come to
my attention:
- in slapd-config(5):
olcSaslHost: <fqdn>
    Used to specify the fully qualified domain name used for SASL processing.

... the description looks somewhat ambiguous to me. It would be less
confusion, if it were "Host running a LDAP server" or similar. Or
perhaps just warning of a possible pitfall - my five cents :).

And, of course, the Ubuntu tutorial page, that was plain whong, saying:
"#The FQDN of the Kerberos KDC.
olcSaslHost: kerberos.example.com"

at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication

But again, many thanks for a quick and helpful response!

Toomas

On Tue, Jan 17, 2012 at 10:16 PM, Dan White <dwhite@olp.net> wrote:
> On 01/17/12 21:45 +0200, Toomas Vendelin wrote:
>>
>> The goal: to make an OpenLDAP server to authenticate using Kerberos V via
>> GSSAPI
>>
>> Setup: several virtual machines running on freshly installed/updated
>> Debian Squeeze
>>
>> A master KDC server
>>
>> kdc.example.com
>>
>> A LDAP server, running OpenLDAP
>>
>> ldap.example.com
>>
>> The problem:
>>
>> tom@ldap:~$ ldapsearch -b 'dc=example,dc=com'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error
>> (80)
>>   additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (Key
>> table entry not found)
>>
>> One might suggest to add that keytab entry, but:
>>
>> ktutil:  rkt /etc/ldap/ldap.keytab
>> ktutil:  list
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>>  1    2        ldap/ldap.example.com@EXAMPLE.COM
>>  2    2        ldap/ldap.example.com@EXAMPLE.COM
>>  3    2        ldap/ldap.example.com@EXAMPLE.COM
>>  4    2        ldap/ldap.example.com@EXAMPLE.COM
>>
>> So, the entry as suggested by the OpenLDAP manual is there allright.
>> Deleting and re-creating both service principal and the keytab on
>> ldap.example.com didn't help, I get the same error. And before I make
>> the keytab file readable by openldap, I get "Permission denied" error
>> instead of the one in the subject. Which implies that the right keytab
>> file is being accessed, as set in /etc/default/slapd.
>>
>> I have my doubts about the following part of slapd config:
>>
>> root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#"
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcArgsFile: /var/run/slapd/slapd.args
>> olcLogLevel: 256
>> olcPidFile: /var/run/slapd/slapd.pid
>> olcToolThreads: 1
>> structuralObjectClass: olcGlobal
>> entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11
>> olcSaslHost: kdc.example.com
>
>
> I think you'll find that libsasl2 is searching for ldap/kdc.example.com in
> your credentials cache. Try changing this to:
>
> olcSaslHost: ldap.example.com
>
>
>> olcSaslRealm: EXAMPLE.COM
>> olcSaslSecProps: noplain,noactive,noanonymous,minssf=56
>> olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth"
>> "uid=$1,ou=People,dc=example,dc=com"
>> olcAuthzRegexp:
>> {1}"uid=host/([^/]*).example.com,cn=example.com,cn=gssapi,cn=auth"
>> "cn=$1,ou=hosts,dc=example,dc=com"
>>
>> A HOWTO at
>> https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication
>> mentiones:
>>
>>   Also, it is frequently necessary to map the Distinguished Name
>> (DN) of an authorized Kerberos client to an existing entry in the DIT.
>>
>> I fail to understand where in the tree this should be defined, what
>> schema should be used, etc. After hours of googling, it's official:
>> I'm stuck! Please, help.
>
>
> When I was learning how to map entries, I found ldapwhoami to be very
> useful. As an example, you might see this *before* creating any authz-regex
> maps:
>
> $ ldapwhoami -Y gssapi -H ldap://ldap.example.com
> SASL/GSSAPI authentication started
> SASL username: ...
> SASL SSF: 56
> SASL data security layer installed.
> dn:uid=jsmith@EXAMPLE.COM,cn=GSSAPI,cn=auth
>
> Then, you can create your maps piecemeal wise until your identity becomes
> what you really what it to be, e.g.:
>
> dn:uid=jsmith,ou=people,dc=example,dc=com
>
> See chapter 15 of the openldap administrator's guide for examples, and then
> see the manpage for slapd-config for details on how to create the
> corresponding olcAuthzRegexp entries.
>
> --
> Dan White

Follow-Ups:
- Re: Openldap/Sasl/GSSAPI on Debian: Key table entry not found
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Openldap/Sasl/GSSAPI on Debian: Key table entry not found
  - From: Toomas Vendelin <toomas.pfx@gmail.com>
- Re: Openldap/Sasl/GSSAPI on Debian: Key table entry not found
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: syncprov_db_open: invalid config, lastmod must be enabled
Next by Date: Re: How to enable monitoring in OpenLdap with cn=config Backend
Index(es):
- Chronological
- Thread