On 08/16/2016 10:51 PM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, David Kowis wrote:
>> On 08/15/2016 09:27 PM, David Kowis wrote:
>>> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
>>>> David Kowis wrote:
>>>>> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>>>>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing.
>>>>>>
>>>>>> In any case, you can check server logs or use tcpdump/wireshark and
>>>>>> see if the
>>>>>> error somes from LDAP server or if it is client side error.
>>>>>>
>>>>>> That would tell us where to focus.

I think I know what's going on, but not why it's going on:

https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/1088822
This bug lead me to wonder where the directory server was finding it's
GSSAPI modules.

For some reason dirsrv is looking in /usr/lib/sasl2 for it's sasl
modules, when they're actually installed in /usr/lib/i386-linux-gnu/sasl2

A symlink:
ln -s /usr/lib/i386-linux-gnu/sasl2 /usr/lib/sasl2


and then suddenly:
ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: ANONYMOUS

Should I file a new bug with ubuntu? Did I find some weird i386 only bug
that should've been fixed?

Thanks,
David Kowis

PS: sorry if this is a repost, I sent it before, but it doesn't seem to
be showing up on the list...

>>>>>>
>>>>>
>>>>> Welp, I've got a pile of logs for you:
>>>>> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0
>>>>>
>>>>> The last few lines are probably the relevant ones.
>>>>>
>>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl
>>>>> version=3 mech=GSSAPI
>>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97
>>>>> nentries=0 etime=0
>>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND
>>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1
>>>>>
>>>>>
>>>>> Something tries to bind with no dn, and then fails.... I think?
>>>>
>>>> No this is typical logging for GSSAPI (minus the error).
>>>>
>>>> The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus
>>>> SASL GSSAPI package installed? In Fedora the package is
>>>> cyrus-sasl-gssapi.
>>>>
>>
>> Still trying to figure stuff out:
>>
>> root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h
>> localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms
>> dn:
>> SupportedSASLMechanisms: EXTERNAL
>>
>>
>> Should I have more than just EXTERNAL when this happens? How do I debug
>> more about what SASL authentication stuff should be there? I'm having a
>> great deal of difficulty finding documentation for the 389 directory
>> server's SASL configuration. *If* that's even the place I should be
>> looking. How can I narrow this down more?
> 389-ds does dynamically include all supported SASL mechanisms returned
> by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms
> were returned by your system SASL library. The attribute
> SupportedSASLMechanisms you see in the rootdse query above is read-only:
> it only shows which SASL mechanisms 389-ds knows about but you cannot
> influence them via this attribute. You need to look at your CyrusSASL
> library system configuration.
>
> What does 'pluginviewer' output show? Here is what Fedora 24 reports
> when following packages are installed:
> cyrus-sasl-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-md5-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-plain-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-gssapi-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64
>
> # pluginviewer Installed and properly configured auxprop mechanisms are:
> sasldb
> List of auxprop plugins follows
> Plugin "sasldb" ,     API version: 8
>     supports store: yes
>
> Installed and properly configured SASL (server side) mechanisms are:
>  GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
> Available SASL (server side) mechanisms matching your criteria are:
>  GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
> List of server plugins follows
> Plugin "gssapiv2" [loaded],     API version: 4
>     SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no
>     security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
>     features:
> WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP
> Plugin "gssapiv2" [loaded],     API version: 4
>     SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>     security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
>     features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
> Plugin "digestmd5" [loaded],     API version: 4
>     SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>     security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>     features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
> Plugin "crammd5" [loaded],     API version: 4
>     SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>     security flags: NO_ANONYMOUS|NO_PLAINTEXT
>     features: SERVER_FIRST
> Plugin "login" [loaded],     API version: 4
>     SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>     security flags: NO_ANONYMOUS|PASS_CREDENTIALS
>     features:
> Plugin "plain" [loaded],     API version: 4
>     SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>     security flags: NO_ANONYMOUS|PASS_CREDENTIALS
>     features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "anonymous" [loaded],     API version: 4
>     SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>     security flags: NO_PLAINTEXT
>     features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
> Installed and properly configured SASL (client side) mechanisms are:
>  GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
> Available SASL (client side) mechanisms matching your criteria are:
>  GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
> List of client plugins follows
> Plugin "gssapiv2" [loaded],     API version: 4
>     SASL mechanism: GSS-SPNEGO, best SSF: 56
>     security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
>     features:
> WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
> Plugin "gssapiv2" [loaded],     API version: 4
>     SASL mechanism: GSSAPI, best SSF: 56
>     security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
>     features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
> Plugin "digestmd5" [loaded],     API version: 4
>     SASL mechanism: DIGEST-MD5, best SSF: 128
>     security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>     features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
> Plugin "EXTERNAL" [loaded],     API version: 4
>     SASL mechanism: EXTERNAL, best SSF: 0
>     security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
>     features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "crammd5" [loaded],     API version: 4
>     SASL mechanism: CRAM-MD5, best SSF: 0
>     security flags: NO_ANONYMOUS|NO_PLAINTEXT
>     features: SERVER_FIRST
> Plugin "login" [loaded],     API version: 4
>     SASL mechanism: LOGIN, best SSF: 0
>     security flags: NO_ANONYMOUS|PASS_CREDENTIALS
>     features: SERVER_FIRST
> Plugin "plain" [loaded],     API version: 4
>     SASL mechanism: PLAIN, best SSF: 0
>     security flags: NO_ANONYMOUS|PASS_CREDENTIALS
>     features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "anonymous" [loaded],     API version: 4
>     SASL mechanism: ANONYMOUS, best SSF: 0
>     security flags: NO_PLAINTEXT
>     features: WANT_CLIENT_FIRST
>


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to