[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with SASL generic GSSAPI error

I do have olcSaslRealm and olcAuthzregexp setup in my cn=config. I do not have saslauthd.conf setup. I ran kinit from my ldap server then tried to do an ldapsearch and it looks like syslog is providing the same information.

root@baneling:~# kdestroy
root@baneling:~# kinit -p jschaeffer
Password for jschaeffer@HARMONYWAVE.COM:
root@baneling:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jschaeffer@HARMONYWAVE.COM

Valid starting    Expires           Service principal
13/05/2014 07:44  13/05/2014 17:44  krbtgt/HARMONYWAVE.COM@HARMONYWAVE.COM
    renew until 14/05/2014 07:43

root@baneling:~# ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
    additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()

root@baneling:~# cat /var/log/syslog | tail -n 2
May 13 07:44:37 baneling kernel: 7[275.456 palsdne(NU) Neh U=MCf:ff:ff:f0:eb:c2:40:0SC0000DT25252525LN38TS01 RC00 T=2 D0POOUPST6 P=7LN38
May 13 07:44:48 baneling slapd[20118]: SASL [conn=1012] Failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()

In my kdc log I don't see anything related to the ldapsearch I'm trying to perform.  It did mention that it there was no host service ticket for my test server so I added one, but the test I just ran was directly on my ldap server. I do see this, I'm not sure if it is related to this problem:

May 13 07:43:58 immortal.harmonywave.com krb5kdc[15804](info): AS_REQ (4 etypes {18 17 16 23}) 10.1.10.9: NEEDED_PREAUTH: jschaeffer@HARMONYWAVE.COM for krbtgt/HARMONYWAVE.COM@HARMONYWAVE.COM, Additional pre-authentication required.

Thanks,
Josh

On 05/13/2014 07:12 AM, Dan White wrote:
On 05/13/14 07:32 -0400, Brendan Kearney wrote:
On Tue, 2014-05-13 at 08:26 +0200, Dieter Klünter wrote:
Am Mon, 12 May 2014 20:52:14 -0600
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

> root@mytest:~# ldapsearch -Y GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> error (80)
>      additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information ()

Check your syslog - auth facility, and check your kdc logs.

a couple of things that may need attention.  you need to map the
kerberos-established identities to ldap user objects.  adjust the below
to match your environment (these need to be in cn=config):

olcSaslRealm: BPK2.COM

This may be necessary.

olcAuthzRegexp: {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com
olcAuthzRegexp: {1}uid=([^,]*),cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com

This is not necessary, for GSSAPI authentication. That is, the error
message above is a SASL error message. olcAuthzRegexp would be needed to
map the user after authentication has been completed.

you might also need to tell sasl to use the kerberos auth mechanism, and
where to find the ldap servers.  again, adjust to your environment
(saslauthd.conf):

ldap_servers: ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com
ldap_use_sasl: yes
ldap_mech: kerberos5
ldap_auth_method: fastbind
keytab: /etc/ldap.keytab

This is also not necessary, as GSSAPI authentication does not depend on or
use saslauthd. It would be needed if performing pass-through or PLAIN/LOGIN
authentication.