Hi,
I have strange problem with krb5 krb5-server-ldap and FC14. Tried to
resolve it my self, but i'am stuck. Stangest thing is that all of this
work perfectly with fc13 so it's no config issue. I could not find any
major difference in krb5 from fc13 to fc14. Only thing is that libldap
from openldap-clients is compiled with mozilla nss (fc14) instead of
OpenSSL (fc13) but krb5kdc is connected to ldap servers which I
confirmed in ldap server logs, so it should not be TLS related problem.
krb5kdc bind for first time and get realm related stuff. But when I run
kinit it returns "kinit: Generic error (see e-text) while getting
initial credentials".
Strangest this is that all works perfectly if I manually run krb5kdc
"/usr/sbin/krb5kdc -r ST -P /var/run/krb5kdc.pid" instead of using
initscripts.
Attached krb5.conf, patch to enhance krb5kdc debugging and log file
created with this patch included.
This may not be right list but I think that freeipa should have same
bug. Feel free to ask for more debugging or probing new patches.
Best regards,
Zoran Pericic
diff -ur krb5-1.8.2.org/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c krb5-1.8.2.ldap/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
--- krb5-1.8.2.org/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2009-11-25 00:52:25.000000000 +0100
+++ krb5-1.8.2.ldap/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2010-12-13 20:46:53.540135976 +0100
@@ -38,6 +38,8 @@
#include "ldap_service_stash.h"
#include <kdb5.h>
+#include "adm_proto.h"
+#include <syslog.h>
static krb5_error_code
krb5_validate_ldap_context(krb5_context context,
krb5_ldap_context *ldap_context)
@@ -66,6 +68,7 @@
/* Check if the returned 'password' is actually the path of a certificate */
if (!strncmp("{FILE}", (char *)password, 6)) {
+ krb5_klog_syslog(LOG_INFO, "Using certificate for password!");
/* 'password' format: <path>\0<password> */
ldap_context->service_cert_path = strdup((char *)password + strlen("{FILE}"));
if (password[strlen((char *)password) + 1] == '\0')
@@ -75,6 +78,7 @@
strlen((char *)password) + 1);
free(password);
} else {
+ krb5_klog_syslog(LOG_INFO, "Normal password !");
ldap_context->bind_pwd = (char *)password;
if (ldap_context->bind_pwd == NULL) {
st = EINVAL;
@@ -108,6 +112,7 @@
if (ldap_context->service_cert_path != NULL) {
/* Certificate based bind (SASL EXTERNAL mechanism) */
+ krb5_klog_syslog(LOG_INFO, "Using SASL EXTERNAL!");
st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
NULL, /* Authenticating dn */
@@ -128,6 +133,7 @@
}
} else {
/* password based simple bind */
+ krb5_klog_syslog(LOG_INFO, "Using normal SASL! %s - %s", ldap_context->bind_dn, ldap_context->bind_pwd);
bv.bv_val = ldap_context->bind_pwd;
bv.bv_len = strlen(ldap_context->bind_pwd);
st = ldap_sasl_bind_s(ldap_server_handle->ldap_handle,
@@ -145,6 +151,7 @@
krb5_error_code st=0;
krb5_ldap_server_handle *ldap_server_handle=NULL;
+ krb5_klog_syslog(LOG_INFO, "krb5_ldap_initialize: Start!");
ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle));
if (ldap_server_handle == NULL) {
@@ -154,6 +161,7 @@
/* ldap init */
if ((st = ldap_initialize(&ldap_server_handle->ldap_handle, server_info->server_name)) != 0) {
+ krb5_klog_syslog(LOG_INFO, "krb5_ldap_initialize: ldap_initialize failed!");
if (ldap_context->kcontext)
krb5_set_error_message (ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR, "%s",
ldap_err2string(st));
@@ -162,10 +170,12 @@
}
if ((st=krb5_ldap_bind(ldap_context, ldap_server_handle)) == 0) {
+ krb5_klog_syslog(LOG_INFO, "krb5_ldap_initialize: krb5_ldap_bind() == 0!");
ldap_server_handle->server_info_update_pending = FALSE;
server_info->server_status = ON;
krb5_update_ldap_handle(ldap_server_handle, server_info);
} else {
+ krb5_klog_syslog(LOG_INFO, "krb5_ldap_initialize: krb5_ldap_bind() != 0!");
if (ldap_context->kcontext)
krb5_set_error_message (ldap_context->kcontext,
KRB5_KDB_ACCESS_ERROR, "%s",
@@ -303,8 +313,10 @@
krb5_ldap_server_handle *handle = *ldap_server_handle;
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
- || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
+ || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) {
+ krb5_klog_syslog(LOG_INFO, "krb5_ldap_rebind: Next handle from pool");
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
+ }
return LDAP_SUCCESS;
}
diff -ur krb5-1.8.2.org/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h krb5-1.8.2.ldap/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
--- krb5-1.8.2.org/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2009-11-25 00:52:25.000000000 +0100
+++ krb5-1.8.2.ldap/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2010-12-12 23:53:07.071811666 +0100
@@ -90,7 +90,7 @@
#define GET_HANDLE() ld = NULL; \
st = krb5_ldap_request_handle_from_pool(ldap_context, &ldap_server_handle); \
if (st != 0) { \
- prepend_err_str(context, "LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \
+ prepend_err_str(context, "GET_HANDLE: LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \
st = KRB5_KDB_ACCESS_ERROR; \
goto cleanup; \
} \
@@ -113,7 +113,7 @@
\
if (status_check != IGNORE_STATUS) { \
if (tempst != 0) { \
- prepend_err_str(context, "LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \
+ prepend_err_str(context, "LDAP_SEARCH: LDAP handle unavailable: ", KRB5_KDB_ACCESS_ERROR, st); \
st = KRB5_KDB_ACCESS_ERROR; \
goto cleanup; \
} \
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ST
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
ST = {
kdc = server.example:88
admin_server = mazuran.st:749
default_domain = st
database_module = ldapconf
}
[domain_realm]
.server.example = ST
server.example = ST
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbdefaults]
database_module = ldapconf
[dbmodules]
ldapconf = {
dbname = ldap
db_library = kldap
ldap_servers = ldaps://server.example
ldap_kerberos_container_dn = "ou=Kerberos,dc=example"
ldap_kdc_dn = "cn=Manager,dc=example"
ldap_kadmind_dn = "cn=Manager,dc=example"
ldap_service_password_file = /etc/krb5.service
ldap_conns_per_server = 2
}
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): Normal password !
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): krb5_ldap_initialize: Start!
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): Using normal SASL! cn=Manager,dc=example - xxxxxxx
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): krb5_ldap_initialize: krb5_ldap_bind() == 0!
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): krb5_ldap_initialize: Start!
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): Using normal SASL! cn=Manager,dc=example - xxxxxxx
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): krb5_ldap_initialize: krb5_ldap_bind() == 0!
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): setting up network...
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 7: udp 0.0.0.0.750 (pktinfo)
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 750
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): skipping unrecognized local address family 17
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): skipping unrecognized local address family 17
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): skipping unrecognized local address family 17
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): skipping unrecognized local address family 17
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): skipping unrecognized local address family 17
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 9: udp fe80::213:20ff:fe2f:d97c%eth1.750
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 10: udp fe80::213:20ff:fe2f:d97c%eth1.88
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 11: udp fe80::211:3bff:fe04:f1c5%eth0.750
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 12: udp fe80::211:3bff:fe04:f1c5%eth0.88
krb5kdc: setsockopt(13,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 13: udp fe80::20e:2eff:fe85:a90a%wlan0.750
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 14: udp fe80::20e:2eff:fe85:a90a%wlan0.88
krb5kdc: setsockopt(15,IPV6_V6ONLY,1) worked
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 16: tcp 0.0.0.0.88
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): listening on fd 15: tcp ::.88
Dec 26 01:33:40 stepinceva.st krb5kdc[28835](info): set up 10 sockets
Dec 26 01:33:40 stepinceva.st krb5kdc[28842](info): commencing operation
Dec 26 01:33:42 stepinceva.st krb5kdc[28842](info): Using normal SASL! cn=Manager,dc=example - xxxxxxx
Dec 26 01:33:42 stepinceva.st krb5kdc[28842](info): krb5_ldap_rebind: Next handle from pool
Dec 26 01:33:42 stepinceva.st krb5kdc[28842](info): krb5_ldap_initialize: Start!
Dec 26 01:33:42 stepinceva.st krb5kdc[28842](info): Using normal SASL! cn=Manager,dc=example - xxxxxxx
Dec 26 01:33:42 stepinceva.st krb5kdc[28842](info): krb5_ldap_initialize: krb5_ldap_bind() != 0!
Dec 26 01:33:42 stepinceva.st krb5kdc[28842](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: LOOKING_UP_CLIENT: r...@st for krbtgt/s...@st, LDAP_SEARCH: LDAP handle unavailable: Can't contact LDAP server
Dec 26 20:43:34 stepinceva.st krb5kdc[28842](info): krb5_ldap_initialize: Start!
Dec 26 20:43:34 stepinceva.st krb5kdc[28842](info): Using normal SASL! cn=Manager,dc=example - xxxxxxx
Dec 26 20:43:34 stepinceva.st krb5kdc[28842](info): krb5_ldap_initialize: krb5_ldap_bind() != 0!
Dec 26 20:43:34 stepinceva.st krb5kdc[28842](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: LOOKING_UP_CLIENT: r...@st for krbtgt/s...@st, GET_HANDLE: LDAP handle unavailable: Can't contact LDAP server
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel