Hi,
I have strange problem with krb5 krb5-server-ldap and FC14. Tried to
resolve it my self, but i'am stuck. Stangest thing is that all of this
work perfectly with fc13 so it's no config issue. I could not find any
major difference in krb5 from fc13 to fc14. Only thing is that libldap
from openldap-clients is compiled with mozilla nss (fc14) instead of
OpenSSL (fc13) but krb5kdc is connected to ldap servers which I
confirmed in ldap server logs, so it should not be TLS related problem.
krb5kdc bind for first time and get realm related stuff. But when I run
kinit it returns kinit: Generic error (see e-text) while getting
initial credentials.
Strangest this is that all works perfectly if I manually run krb5kdc
/usr/sbin/krb5kdc -r ST -P /var/run/krb5kdc.pid instead of using
initscripts.
Attached krb5.conf, patch to enhance krb5kdc debugging and log file
created with this patch included.
This may not be right list but I think that freeipa should have same
bug. Feel free to ask for more debugging or probing new patches.
Best regards,
Zoran Pericic
diff -ur krb5-1.8.2.org/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c krb5-1.8.2.ldap/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
--- krb5-1.8.2.org/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2009-11-25 00:52:25.0 +0100
+++ krb5-1.8.2.ldap/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2010-12-13 20:46:53.540135976 +0100
@@ -38,6 +38,8 @@
#include ldap_service_stash.h
#include kdb5.h
+#include adm_proto.h
+#include syslog.h
static krb5_error_code
krb5_validate_ldap_context(krb5_context context,
krb5_ldap_context *ldap_context)
@@ -66,6 +68,7 @@
/* Check if the returned 'password' is actually the path of a certificate */
if (!strncmp({FILE}, (char *)password, 6)) {
+krb5_klog_syslog(LOG_INFO, Using certificate for password!);
/* 'password' format: path\0password */
ldap_context-service_cert_path = strdup((char *)password + strlen({FILE}));
if (password[strlen((char *)password) + 1] == '\0')
@@ -75,6 +78,7 @@
strlen((char *)password) + 1);
free(password);
} else {
+krb5_klog_syslog(LOG_INFO, Normal password !);
ldap_context-bind_pwd = (char *)password;
if (ldap_context-bind_pwd == NULL) {
st = EINVAL;
@@ -108,6 +112,7 @@
if (ldap_context-service_cert_path != NULL) {
/* Certificate based bind (SASL EXTERNAL mechanism) */
+krb5_klog_syslog(LOG_INFO, Using SASL EXTERNAL!);
st = ldap_sasl_bind_s(ldap_server_handle-ldap_handle,
NULL,/* Authenticating dn */
@@ -128,6 +133,7 @@
}
} else {
/* password based simple bind */
+krb5_klog_syslog(LOG_INFO, Using normal SASL! %s - %s, ldap_context-bind_dn, ldap_context-bind_pwd);
bv.bv_val = ldap_context-bind_pwd;
bv.bv_len = strlen(ldap_context-bind_pwd);
st = ldap_sasl_bind_s(ldap_server_handle-ldap_handle,
@@ -145,6 +151,7 @@
krb5_error_code st=0;
krb5_ldap_server_handle *ldap_server_handle=NULL;
+krb5_klog_syslog(LOG_INFO, krb5_ldap_initialize: Start!);
ldap_server_handle = calloc(1, sizeof(krb5_ldap_server_handle));
if (ldap_server_handle == NULL) {
@@ -154,6 +161,7 @@
/* ldap init */
if ((st = ldap_initialize(ldap_server_handle-ldap_handle, server_info-server_name)) != 0) {
+krb5_klog_syslog(LOG_INFO, krb5_ldap_initialize: ldap_initialize failed!);
if (ldap_context-kcontext)
krb5_set_error_message (ldap_context-kcontext, KRB5_KDB_ACCESS_ERROR, %s,
ldap_err2string(st));
@@ -162,10 +170,12 @@
}
if ((st=krb5_ldap_bind(ldap_context, ldap_server_handle)) == 0) {
+krb5_klog_syslog(LOG_INFO, krb5_ldap_initialize: krb5_ldap_bind() == 0!);
ldap_server_handle-server_info_update_pending = FALSE;
server_info-server_status = ON;
krb5_update_ldap_handle(ldap_server_handle, server_info);
} else {
+krb5_klog_syslog(LOG_INFO, krb5_ldap_initialize: krb5_ldap_bind() != 0!);
if (ldap_context-kcontext)
krb5_set_error_message (ldap_context-kcontext,
KRB5_KDB_ACCESS_ERROR, %s,
@@ -303,8 +313,10 @@
krb5_ldap_server_handle *handle = *ldap_server_handle;
if ((ldap_initialize(handle-ldap_handle, handle-server_info-server_name) != LDAP_SUCCESS)
-|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
+|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS)) {
+krb5_klog_syslog(LOG_INFO, krb5_ldap_rebind: Next handle from pool);
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
+}
return LDAP_SUCCESS;
}