3

The goal: to make an OpenLDAP server to authenticate using Kerberos V via GSSAPI

Setup: several virtual machines running on freshly installed/updated Debian Squeeze

A master KDC server

kdc.example.com

A LDAP server, running OpenLDAP

ldap.example.com

The problem:

tom@ldap:~$ ldapsearch -b 'dc=example,dc=com' 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
    additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)

One might suggest to add that bloody keytab entry, but here's the real problem:

ktutil:  rkt /etc/ldap/ldap.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2        ldap/ldap.example.com@EXAMPLE.COM
   2    2        ldap/ldap.example.com@EXAMPLE.COM
   3    2        ldap/ldap.example.com@EXAMPLE.COM
   4    2        ldap/ldap.example.com@EXAMPLE.COM

So, the entry as suggested by the OpenLDAP manual is there allright. Deleting and re-creating both service principal and the keytab on ldap.example.com didn't help, I get the same error. And before I make the keytab file readable by openldap, I get "Permission denied" error instead of the one in the subject. Which implies, that the right keytab file is being accessed, as set in /etc/default/slapd.

I have my doubts about the following part of slapd config:

root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#"
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11
olcSaslHost: kdc.example.com
olcSaslRealm: EXAMPLE.COM
olcSaslSecProps: noplain,noactive,noanonymous,minssf=56
olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth" "uid=$1,ou=People,dc=example,dc=com"
olcAuthzRegexp: {1}"uid=host/([^/]*).example.com,cn=example.com,cn=gssapi,cn=auth" "cn=$1,ou=hosts,dc=example,dc=com"

A HOWTO at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication mentiones vaguely:

Also, it is frequently necessary to map the Distinguished Name (DN) of an authorized Kerberos client to an existing entry in the DIT.

I fail to understand where in the tree this should be defined, what schema should be used, etc. After hours of googling, it's official: I'm stuck! Please, help.

Other things checked: Kerberos as such works fine (I can ssh without using a password to any machine in this setup). That means there should be no DNS-related problems.

ldapsearch -b 'dc=example,dc=com' -x

works OK.

SASL/GSSAPI has been tested using

sasl-sample-server  -m GSSAPI -s ldap

and

sasl-sample-client -s ldap -n ldap.example.com -u tom

without errors:

root@ldap:~# sasl-sample-server  -m GSSAPI -s ldap
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIPgot 'GSSAPI'
Sending response...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cR
Waiting for client reply...
C: got ''
Sending response...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=
Waiting for client reply...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=got '?'
Negotiation complete
Username: tom
Realm: (NULL)
SSF: 56
sending encrypted message 'srv message 1'
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazx
Waiting for encrypted message...
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpcztgot ''
recieved decoded message 'client message 1'




root@ldap:~# sasl-sample-client -s ldap -n ldap.example.com -u tom
service=ldap
Waiting for mechanism list from server...
S: R1NTQVBJrecieved 6 byte message
Choosing best mechanism from: GSSAPI
returning OK: tom
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIP
Waiting for server reply...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cRrecieved 156 byte message
C: 
Waiting for server reply...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=recieved 32 byte message
Sending response...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=
Negotiation complete
Username: tom
SSF: 56
Waiting for encoded message...
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazxrecieved 78 byte message
recieved decoded message 'srv message 1'
sending encrypted message 'client message 1'
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpczt
badbishop
  • 898
  • 3
  • 11
  • 21
  • 1
    Are you trying to ldapsearch as tom@EXAMPLE.COM or ldap/ldap.example.com@EXAMPLE.COM? Also what does `klist -f` say? – 84104 Jan 17 '12 at 21:57
  • SPNs are case-sensitive. Try adding key for LDAP/ldap.example.com@EXAMPLE.COM to the keytab. – yrk Jan 17 '12 at 23:35
  • Yes, I'm searching as tom@EXAMPLE.COM – badbishop Jan 18 '12 at 06:26
  • `tom@ldap:~$ klist -f Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: tom@EXAMPLE.COM Valid starting Expires Service principal 01/18/12 08:25:21 01/18/12 18:25:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 01/19/12 08:25:10, Flags: FRIA 01/18/12 08:25:39 01/18/12 18:25:21 ldap/ldap.example.com@EXAMPLE.COM renew until 01/19/12 08:25:10, Flags: FRAT` – badbishop Jan 18 '12 at 06:29
  • That's the point: the Kerberos part seem to work as usual. I can ssh to another host with this ticket and no password. – badbishop Jan 18 '12 at 06:31

1 Answers1

2

The answer was given by Dan White via OpenLDAP mail list.

Setting

olcSaslHost: ldap.example.com

instead of

olcSaslHost: kdc.example.com

solves the issue.

Unfortunately, the slapd-config(5) description of olcSaslHost is somewhat ambiguous (to my taste at least).

Ubuntu tutorial page was plain wrong, saying:

"#The FQDN of the Kerberos KDC.
olcSaslHost: kerberos.example.com"

at https://help.ubuntu.com/community/OpenLDAPServer#Kerberos_Authentication

badbishop
  • 898
  • 3
  • 11
  • 21