I'm trying to get SASL + OpenLDAP working over saslauthd
to AD via kerberos. I've fired up saslauthd
in debug mode and getting the error below in the trace log when I try to su
to the LDAP account user101
:
[12450] 1605731046.958412: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/ldap-krb-test.mycorp.net@MY.REALM.KRB
I can issue kinit
and there are no complaints about the key table entry. I've launched saslauthd
this way:
export KRB5_KTNAME="/etc/windows.keytab" KRB5_TRACE="/tmp/krb5_trace.log" SOCKETDIR="/var/run/saslauthd" MECHANISMS="kerberos5" ; /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 -d
Any idea why saslauthd
isn't able to find the key table entry but kinit
does? I've run across some info about rc4-hmac being deprecated and when I remove that from the list of the allowed enctypes in krb5.conf, I get an error that the KDC has no support for encryption type. Not sure if that's related to the original error about the key table entry though. Below is some info from the command line and the trace file and krb5.conf:
keytab princ matches what's being asked for in the trace file:
# kinit -k -t /etc/windows.keytab
# klist -kte
Keytab name: FILE:/etc/windows.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
3 12/31/1969 18:00:00 host/ldap-krb-test.mycorp.net@MY.REALM.KRB (aes256-cts-hmac-sha1-96)
Trace file snippet:
...
[12450] 1605731046.950617: Sending TCP request to stream xxx.xxx.xxx.17:88
[12450] 1605731046.958060: Received answer (1956 bytes) from stream xxx.xxx.xxx.17:88
[12450] 1605731046.958074: Terminating TCP connection to stream xxx.xxx.xxx.17:88
[12450] 1605731046.958131: Response was not from master KDC
[12450] 1605731046.958148: Decoding FAST response
[12450] 1605731046.958196: FAST reply key: aes256-cts/0E58
[12450] 1605731046.958223: TGS reply is for user101@MY.REALM.KRB -> host/ldap-krb-test.mycorp.net@MY.REALM.KRB with session key rc4-hmac/ED4E
[12450] 1605731046.958261: TGS request result: 0/Success
[12450] 1605731046.958270: Received creds for desired service host/ldap-krb-test.mycorp.net@MY.REALM.KRB
[12450] 1605731046.958277: Storing user101@MY.REALM.KRB -> host/ldap-krb-test.mycorp.net@MY.REALM.KRB in MEMORY:0
[12450] 1605731046.958301: Creating authenticator for user101@MY.REALM.KRB -> host/ldap-krb-test.mycorp.net@MY.REALM.KRB, seqnum 0, subkey (null), session key rc4-hmac/ED4E
[12450] 1605731046.958402: Retrieving host/ldap-krb-test.mycorp.net@MY.REALM.KRB from FILE:/etc/windows.keytab (vno 3, enctype rc4-hmac) with result: -1765328203/No key table entry found for host/ldap-krb-test.mycorp.net@MY.REALM.KRB
[12450] 1605731046.958412: Failed to decrypt AP-REQ ticket: -1765328339/No key table entry found for host/ldap-krb-test.mycorp.net@MY.REALM.KRB
[12450] 1605731046.958465: Destroying ccache MEMORY:0
krb5.conf
[libdefaults]
default_realm = MY.REALM.KRB
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
rdns=false
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MY.REALM.KRB = {
kdc = my.realm.krb
admin_server = my.realm.krb
}
[domain_realm]
.my.realm.krb = MY.REALM.KRB
my.realm.krb = MY.REALM.KRB