Re: SASL authentication

[Rich Megginson]

Xu, Qiang (FXSGSC) wrote:
-----Original Message-----
From: Rich Megginson [mailto:rich.meggin...@gmail.com] On 
Behalf Of Rich Megginson
Sent: Friday, March 13, 2009 10:50 PM
To: Xu, Qiang (FXSGSC)
Subject: Re: SASL authentication
Well, your ldap server must have assigned a keytab from your 
kerberos KDC.

Just think it twice and from http://docs.hp.com/en/J4269-90049/ch04s03.html, it 
seems a keytab file is not necessary:

Not for users/clients, but for servers/services - your LDAP server needs 
a keytab.

=========================================================
Service/Host Principal
A Kerberos keytab file contains service or host principals and associated keys 
information. Users can choose to bind using the service or host keys. The 
keytab file may contain multiple principals and keys. Users may configure which 
service key to use. For example, the following /etc/krb5.keytab file contains 
two principal:

$ klist -k 

 
Keytab name: FILE:/etc/krb5.keytab
Principal
--------------------------------------------
  1 ldapux/hpntc10.cup.hp....@hp.com
  1 host/hpntc10.cup.hp....@hp.com 
=========================================================
It seems to me that if the feedback from klist command is not empty, then there 
exists a service principal.

Yes.  There is the host principal (host/hpntc10.cup.hp....@hp.com) which 
is probably used for things like login/ssh.  I'm not sure what 
ldapux/hpntc10.cup.hp....@hp.com is used for - could be an LDAP server 
service principal, or could be the host LDAP client principal (e.g. for 
nss_ldap, pam_ldap, etc.)

Your LDAP server needs a Kerberos service principal which is specified 
in its keytab.  If you don't know, you need to ask your Kerberos and 
LDAP server administrator.


After I authenticate against the Kerberos server, I get: 
=========================================================
MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: q...@sesswin2003.com

Valid starting     Expires            Service principal
03/17/09 17:36:50  03/18/09 03:37:35  krbtgt/sesswin2003....@sesswin2003.com
        renew until 03/18/09 17:36:50
=========================================================
So I do have a service principal or ticket. And it has not expired, yet.

No, you have a TGT, not a service principal.


Looking back at the tutorial at http://aput.net/~jheiss/krbldap/howto.html: 
=========================================================
ldap_sasl_interactive_bind_s: Local error 
        ldap/hostname service principal not set up 
        or your Kerberos ticket is expired 
=========================================================
It may just mean either there is not any ticket available, or the ticket has 
expired. From the feedback of klist command, it looks my error is not due to 
this.

In short, I think the keytab file is not necessary, provided that my kinit is 
successful and klist does not give an empty result. Am I right?

Not exactly.


Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
dev-tech-ldap@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-ldap