[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP, SASL2, and KERBEROS5

To: O Plameras <oscarp@acay.com.au>
Subject: Re: LDAP, SASL2, and KERBEROS5
From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
Date: Sat, 21 Aug 2004 09:55:25 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <41269A30.5000408@acay.com.au>
References: <41269A30.5000408@acay.com.au>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040814


   From a trobleshooting guide found googling around:

Problem : I can't connect, the following message appears when I try :

334 Using authentication type *GSSAPI*; ADAT must follow
*GSSAPI* accepted as authentication type
*GSSAPI **error* major: *Miscellaneous **failure
**GSSAPI **error* minor: *No **such **file* or *directory
**GSSAPI **error*: acquiring credentials
*GSSAPI* ADAT failed
*GSSAPI* authentication failed

Reason : The service keytab has not been exported on the server. The server
         is unable to decrypt the client ticket.


   So definitely you must have some problem with your keytab.

   Best regards
   Jose

O Plameras wrote:

Hi,
Got this error,
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No such file or directory)

with commands: [root@otr ssh] ldapsearch -H ldap:/// -b "dc=example,dc=com" ( w/ SASL, NO SSL) [root@otr ssh] ldapsearch -H ldaps:/// -b "dc=example,dc=com" (w/ SASL, w/ SSL) [root@otr ssh] ldapsearch -H ldap:/// -ZZ -b "dc=example,dc=com" (w/SASL,w/SSL)

I get correct (no error like above) results with: [root@otr ssh] ldapsearch -H ldap:/// -b "dc=example,dc=com" -x (no SASL, no SSL) [root@otr ssh] ldapsearch -H ldaps:/// -b "dc=example,dc=com" -x (no SASL,w/SSL) [root@otr ssh] ldapsearch -H ldap:/// -ZZ -b "dc=example,dc=com" -x (no SASL,w/SSL)
I tested GSSAPI/Kerberos5 with SASL as follows:
Server side:
[root@otr ssh]sasl2-sample-server -s host
trying 10, 1, 6
....
....
accepted new connection
send: {48}
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
... lots of  characters
...
successful authentication 'oscar'
closing connection
On client side:
[oscarp@otr oscarp]$ kinit oscar
Password for oscar@NOY.COM.AU:
[oscarp@otr oscarp]$ sasl2-sample-client -s host -m GSSAPI otr.noy.com.au
receiving capability list... recv: {48}
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
please enter an authorization id: oscar
.... lots of characters
successful authentication
closing connection
So, SASL/GSSAPI/Kerberos works with test but
does not work with 'ldapsearch' (Openldap)
I have this on my Linux :
[oscarp@otr oscarp]$ rpm -qa | grep sasl
cyrus-sasl-devel-2.1.19-1
cyrus-sasl-gssapi-2.1.19-1
cyrus-sasl-md5-2.1.19-1
cyrus-sasl-2.1.19-1
cyrus-sasl-plain-2.1.19-1
[oscarp@otr oscarp]$ rpm -qa | grep openldap
openldap-devel-2.1.22-8
openldap-clients-2.1.22-8
openldap-servers-2.1.22-8
openldap-2.1.22-8
[oscarp@otr oscarp]$ rpm -qa | grep krb5
krb5-devel-1.3.4-1
krb5-server-1.3.4-1
krb5-workstation-1.3.4-1
pam_krb5-2.0.4-1
krb5-libs-1.3.4-1
$[oscarp@otr oscarp]$ rpm -qa | grep openssl
openssl-0.9.7a-23
openssl-devel-0.9.7a-23
[oscarp@otr oscarp]$
[oscarp@otr oscarp]$ ldapsearch -H ldap:/// -b "" supportedSASLMechanims -x # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=*) # requesting: supportedSASLMechanims #
# search result
search: 2
result: 32 No such object
# numResponses: 1
[oscarp@otr oscarp]$
Can someone point me into where I'll
check to fix this problem ? Thanks.
O Plameras

References:
- LDAP, SASL2, and KERBEROS5
  - From: O Plameras <oscarp@acay.com.au>

Prev by Date: Re: LDAP, SASL2, and KERBEROS5
Next by Date: Re: LDAP, SASL2, and KERBEROS5
Index(es):
- Chronological
- Thread