Re: SASL pass-through fails
I figured out the problem. My krb5.keytab file somehow got corrupted on my OpenLDAP server. I just needed to deleted it and recreate it. I got tipped off to the problem when I started having login issues to the server as well. On 09/18/2016 04:30 AM, Michael Ströder wrote: FWIW: There's a contrib overlay to achieve this without having to use SASL pass-through. See directory contrib/slapd-modules/kinit/ in the source tree. Not sure which status this has though. Ciao, Michael. Good to know, had no idea there was an overlay for this. Thanks, Joshua Schaeffer
Re: SASL pass-through fails
Joshua Schaeffer wrote: > I've been using OpenLDAP and Kerberos for central authentication for a while > now, but I have a couple programs that can't use GSSAPI directly and I want to > setup SASL pass-through authentication to allow those services to use my > Kerberos passwords, but I'm having trouble getting saslauthd to work > correctly. FWIW: There's a contrib overlay to achieve this without having to use SASL pass-through. See directory contrib/slapd-modules/kinit/ in the source tree. Not sure which status this has though. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: SASL pass-through fails
On 09/17/2016 02:41 PM, Joshua Schaeffer wrote: Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail. I saw that, but couldn't figure out how to change the service directly (Nothing in saslauthd(8) says anything about service). I'm assuming that "imap" is the default Oh daah.. it's in man testsaslauthd(8) that explains about the service name. I'll play around with that, but as I showed, I couldn't get it to work with the "ldap" service either and I do have one of those.
Re: SASL pass-through fails
Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail. I saw that, but couldn't figure out how to change the service directly (Nothing in saslauthd(8) says anything about service). I'm assuming that "imap" is the default when using testsaslauthd. I could get it to change when I try a simple bind, but that doesn't change the result, I still get an error, and I do have a ldap service in my KDC. I also do have {SASL}jschaef...@harmonywave.com set as my userPassword. root@baneling:~# ldapsearch -LLL -x -D "uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=com" -W -b "" Enter LDAP Password: ldap_bind: Invalid credentials (49) saslauthd[1479] :do_auth : auth failure: [user=jschaeffer] [service=ldap] [realm=HARMONYWAVE.COM] [mech=kerberos5] [reason=saslauthd internal error] kadmin: listprincs ... ldap/baneling.harmonywave@harmonywave.com ... Thanks, Joshua Schaeffer
Re: SASL pass-through fails
Joshua Schaeffer wrote: Hey all, I've been using OpenLDAP and Kerberos for central authentication for a while now, but I have a couple programs that can't use GSSAPI directly and I want to setup SASL pass-through authentication to allow those services to use my Kerberos passwords, but I'm having trouble getting saslauthd to work correctly. I can authentication as myself using GSSAPI without any issue: jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com But whenever I run the testsaslauthd command I can't get a successful authentication: root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p 0: NO "authentication failed" When I debug the saslauthd daemon all i get is this: root@baneling:~# saslauthd -a kerberos5 -m /var/run/saslauthd -n 5 -d saslauthd[1121] :main: num_procs : 5 saslauthd[1121] :main: mech_option: NULL saslauthd[1121] :main: run_path : /var/run/saslauthd saslauthd[1121] :main: auth_mech : kerberos5 saslauthd[1121] :ipc_init: using accept lock file: /var/run/saslauthd/mux.accept saslauthd[1121] :detach_tty : master pid is: 0 saslauthd[1121] :ipc_init: listening on socket: /var/run/saslauthd/mux saslauthd[1121] :main: using process model saslauthd[1121] :have_baby : forked child: 1122 saslauthd[1122] :get_accept_lock : acquired accept lock saslauthd[1121] :have_baby : forked child: 1123 saslauthd[1121] :have_baby : forked child: 1124 saslauthd[1121] :have_baby : forked child: 1125 saslauthd[1122] :rel_accept_lock : released accept lock saslauthd[1124] :get_accept_lock : acquired accept lock saslauthd[1122] :do_auth : auth failure: [user=jschaef...@harmonywave.com] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error] Kinda at a loss at what else I should look at. Any tips would be appreciated. Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: SASL pass-through fails
On 09/17/2016 03:38 PM, Joshua Schaeffer wrote: Hey all, I've been using OpenLDAP and Kerberos for central authentication for a while now, but I have a couple programs that can't use GSSAPI directly and I want to setup SASL pass-through authentication to allow those services to use my Kerberos passwords, but I'm having trouble getting saslauthd to work correctly. I can authentication as myself using GSSAPI without any issue: jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com But whenever I run the testsaslauthd command I can't get a successful authentication: root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p 0: NO "authentication failed" Here are my SASL settings: root@baneling:~# cat /etc/default/saslauthd | grep -v '^$\|^\s*\#' START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/run/saslauthd" root@baneling:~# cat /etc/ldap/sasl2/slapd.conf pwcheck_method:saslauthd saslauthd_path:/var/run/saslauthd/mux I can see my saslauthd socket listening and what I find really odd is that I can see a successful authentication attempt from Kerberos's logs: root@baneling:~# netstat -a I | grep sasl unix 2 [ ACC ] STREAM LISTENING 25552431 /var/run/saslauthd/mux I get this immediately after issuing the testsaslauthd command: Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.30.18: NEEDED_PREAUTH: jschaef...@harmonywave.com for krbtgt/harmonywave@harmonywave.com, Additional pre-authentication required Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.30.18: ISSUE: authtime 1474139353, etypes {rep=18 tkt=18 ses=18}, jschaef...@harmonywave.com for krbtgt/harmonywave@harmonywave.com You can also see it in the slapd logs: Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/harmonywave@harmonywave.com))" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com" scope=0 deref=0 filter="(objectClass=krbPwdPolicy)" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH attr=cn krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval krbpwdlockoutduration krbpwdattributes krbpwdmaxlife krbpwdmaxrenewablelife krbpwdallowedkeysalts Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002
SASL pass-through fails
Hey all, I've been using OpenLDAP and Kerberos for central authentication for a while now, but I have a couple programs that can't use GSSAPI directly and I want to setup SASL pass-through authentication to allow those services to use my Kerberos passwords, but I'm having trouble getting saslauthd to work correctly. I can authentication as myself using GSSAPI without any issue: jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com But whenever I run the testsaslauthd command I can't get a successful authentication: root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p 0: NO "authentication failed" Here are my SASL settings: root@baneling:~# cat /etc/default/saslauthd | grep -v '^$\|^\s*\#' START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/run/saslauthd" root@baneling:~# cat /etc/ldap/sasl2/slapd.conf pwcheck_method:saslauthd saslauthd_path:/var/run/saslauthd/mux I can see my saslauthd socket listening and what I find really odd is that I can see a successful authentication attempt from Kerberos's logs: root@baneling:~# netstat -a I | grep sasl unix 2 [ ACC ] STREAM LISTENING 25552431 /var/run/saslauthd/mux I get this immediately after issuing the testsaslauthd command: Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.30.18: NEEDED_PREAUTH: jschaef...@harmonywave.com for krbtgt/harmonywave@harmonywave.com, Additional pre-authentication required Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.30.18: ISSUE: authtime 1474139353, etypes {rep=18 tkt=18 ses=18}, jschaef...@harmonywave.com for krbtgt/harmonywave@harmonywave.com You can also see it in the slapd logs: Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/harmonywave@harmonywave.com))" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com" scope=0 deref=0 filter="(objectClass=krbPwdPolicy)" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH attr=cn krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval krbpwdlockoutduration krbpwdattributes krbpwdmaxlife krbpwdmaxrenewablelife krbpwdallowedkeysalts Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))" Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=201 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0