On 09/17/2016 03:38 PM, Joshua Schaeffer wrote:
Hey all,
I've been using OpenLDAP and Kerberos for central authentication for a
while now, but I have a couple programs that can't use GSSAPI directly
and I want to setup SASL pass-through authentication to allow those
services to use my Kerberos passwords, but I'm having trouble getting
saslauthd to work correctly.
I can authentication as myself using GSSAPI without any issue:
jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami
SASL/GSSAPI authentication started
SASL username: jschaef...@harmonywave.com
SASL SSF: 56
SASL data security layer installed.
dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com
But whenever I run the testsaslauthd command I can't get a successful
authentication:
root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p <password>
0: NO "authentication failed"
Here are my SASL settings:
root@baneling:~# cat /etc/default/saslauthd | grep -v '^$\|^\s*\#'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="kerberos5"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
root@baneling:~# cat /etc/ldap/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
I can see my saslauthd socket listening and what I find really odd is
that I can see a successful authentication attempt from Kerberos's logs:
root@baneling:~# netstat -a I | grep sasl
unix 2 [ ACC ] STREAM LISTENING 25552431
/var/run/saslauthd/mux
I get this immediately after issuing the testsaslauthd command:
Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.30.18: NEEDED_PREAUTH: jschaef...@harmonywave.com
for krbtgt/harmonywave....@harmonywave.com, Additional
pre-authentication required
Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.30.18: ISSUE: authtime 1474139353, etypes {rep=18
tkt=18 ses=18}, jschaef...@harmonywave.com for
krbtgt/harmonywave....@harmonywave.com
You can also see it in the slapd logs:
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/harmonywave....@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH
base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com"
scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH attr=cn
krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength
krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval
krbpwdlockoutduration krbpwdattributes krbpwdmaxlife
krbpwdmaxrenewablelife krbpwdallowedkeysalts
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=201 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/harmonywave....@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=201 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=201 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=202 SRCH
base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com"
scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=202 SRCH attr=cn
krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength
krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval
krbpwdlockoutduration krbpwdattributes krbpwdmaxlife
krbpwdmaxrenewablelife krbpwdallowedkeysalts
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=202 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=203 SRCH
base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com"
scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=203 SRCH attr=cn
krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength
krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval
krbpwdlockoutduration krbpwdattributes krbpwdmaxlife
krbpwdmaxrenewablelife krbpwdallowedkeysalts
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=203 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=204 SRCH
base="krbPrincipalName=jschaef...@harmonywave.com,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com"
scope=0 deref=0 filter="(objectClass=*)"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=204 SRCH
attr=objectclass
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=204 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=205 MOD
dn="krbPrincipalName=jschaef...@harmonywave.com,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=205 MOD
attr=krbLastSuccessfulAuth krbExtraData krbLastAdminUnlock
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=205 RESULT tag=103
err=0 text=
When I debug the saslauthd daemon all i get is this:
root@baneling:~# saslauthd -a kerberos5 -m /var/run/saslauthd -n 5 -d
saslauthd[1121] :main : num_procs : 5
saslauthd[1121] :main : mech_option: NULL
saslauthd[1121] :main : run_path : /var/run/saslauthd
saslauthd[1121] :main : auth_mech : kerberos5
saslauthd[1121] :ipc_init : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[1121] :detach_tty : master pid is: 0
saslauthd[1121] :ipc_init : listening on socket:
/var/run/saslauthd/mux
saslauthd[1121] :main : using process model
saslauthd[1121] :have_baby : forked child: 1122
saslauthd[1122] :get_accept_lock : acquired accept lock
saslauthd[1121] :have_baby : forked child: 1123
saslauthd[1121] :have_baby : forked child: 1124
saslauthd[1121] :have_baby : forked child: 1125
saslauthd[1122] :rel_accept_lock : released accept lock
saslauthd[1124] :get_accept_lock : acquired accept lock
saslauthd[1122] :do_auth : auth failure:
[user=jschaef...@harmonywave.com] [service=imap] [realm=]
[mech=kerberos5] [reason=saslauthd internal error]
Kinda at a loss at what else I should look at. Any tips would be
appreciated.
Thanks,
Joshua Schaeffer
you may need to specify the keytab to use, in /etc/default/saslauthd.
also, your user object should have the userPassword attribute set to
"{SASL}jschaef...@harmonywave.com" so the passthrough works.