Re: SASL pass-through fails
I figured out the problem. My krb5.keytab file somehow got corrupted on my OpenLDAP server. I just needed to deleted it and recreate it. I got tipped off to the problem when I started having login issues to the server as well. On 09/18/2016 04:30 AM, Michael Ströder wrote: FWIW: There's a contrib overlay to achieve this without having to use SASL pass-through. See directory contrib/slapd-modules/kinit/ in the source tree. Not sure which status this has though. Ciao, Michael. Good to know, had no idea there was an overlay for this. Thanks, Joshua Schaeffer
Re: SASL pass-through fails
Joshua Schaeffer wrote: > I've been using OpenLDAP and Kerberos for central authentication for a while > now, but I have a couple programs that can't use GSSAPI directly and I want to > setup SASL pass-through authentication to allow those services to use my > Kerberos passwords, but I'm having trouble getting saslauthd to work > correctly. FWIW: There's a contrib overlay to achieve this without having to use SASL pass-through. See directory contrib/slapd-modules/kinit/ in the source tree. Not sure which status this has though. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: SASL pass-through fails
On 09/17/2016 02:41 PM, Joshua Schaeffer wrote: Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail. I saw that, but couldn't figure out how to change the service directly (Nothing in saslauthd(8) says anything about service). I'm assuming that "imap" is the default Oh daah.. it's in man testsaslauthd(8) that explains about the service name. I'll play around with that, but as I showed, I couldn't get it to work with the "ldap" service either and I do have one of those.
Re: SASL pass-through fails
Your testsaslauthd is trying to use the imap service. If you don't have an imap
service in your KDC, then of course it will fail.
I saw that, but couldn't figure out how to change the service directly (Nothing in
saslauthd(8) says anything about service). I'm assuming that "imap" is the
default when using testsaslauthd. I could get it to change when I try a simple bind, but
that doesn't change the result, I still get an error, and I do have a ldap service in my
KDC. I also do have {SASL}jschaef...@harmonywave.com set as my userPassword.
root@baneling:~# ldapsearch -LLL -x -D "uid=jschaeffer,ou=End
Users,ou=People,dc=harmonywave,dc=com" -W -b ""
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
saslauthd[1479] :do_auth : auth failure: [user=jschaeffer]
[service=ldap] [realm=HARMONYWAVE.COM] [mech=kerberos5] [reason=saslauthd
internal error]
kadmin: listprincs
...
ldap/baneling.harmonywave@harmonywave.com
...
Thanks,
Joshua Schaeffer
Re: SASL pass-through fails
Joshua Schaeffer wrote: Hey all, I've been using OpenLDAP and Kerberos for central authentication for a while now, but I have a couple programs that can't use GSSAPI directly and I want to setup SASL pass-through authentication to allow those services to use my Kerberos passwords, but I'm having trouble getting saslauthd to work correctly. I can authentication as myself using GSSAPI without any issue: jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami SASL/GSSAPI authentication started SASL username: jschaef...@harmonywave.com SASL SSF: 56 SASL data security layer installed. dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com But whenever I run the testsaslauthd command I can't get a successful authentication: root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p 0: NO "authentication failed" When I debug the saslauthd daemon all i get is this: root@baneling:~# saslauthd -a kerberos5 -m /var/run/saslauthd -n 5 -d saslauthd[1121] :main: num_procs : 5 saslauthd[1121] :main: mech_option: NULL saslauthd[1121] :main: run_path : /var/run/saslauthd saslauthd[1121] :main: auth_mech : kerberos5 saslauthd[1121] :ipc_init: using accept lock file: /var/run/saslauthd/mux.accept saslauthd[1121] :detach_tty : master pid is: 0 saslauthd[1121] :ipc_init: listening on socket: /var/run/saslauthd/mux saslauthd[1121] :main: using process model saslauthd[1121] :have_baby : forked child: 1122 saslauthd[1122] :get_accept_lock : acquired accept lock saslauthd[1121] :have_baby : forked child: 1123 saslauthd[1121] :have_baby : forked child: 1124 saslauthd[1121] :have_baby : forked child: 1125 saslauthd[1122] :rel_accept_lock : released accept lock saslauthd[1124] :get_accept_lock : acquired accept lock saslauthd[1122] :do_auth : auth failure: [user=jschaef...@harmonywave.com] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error] Kinda at a loss at what else I should look at. Any tips would be appreciated. Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: SASL pass-through fails
On 09/17/2016 03:38 PM, Joshua Schaeffer wrote:
Hey all,
I've been using OpenLDAP and Kerberos for central authentication for a
while now, but I have a couple programs that can't use GSSAPI directly
and I want to setup SASL pass-through authentication to allow those
services to use my Kerberos passwords, but I'm having trouble getting
saslauthd to work correctly.
I can authentication as myself using GSSAPI without any issue:
jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami
SASL/GSSAPI authentication started
SASL username: jschaef...@harmonywave.com
SASL SSF: 56
SASL data security layer installed.
dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com
But whenever I run the testsaslauthd command I can't get a successful
authentication:
root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p
0: NO "authentication failed"
Here are my SASL settings:
root@baneling:~# cat /etc/default/saslauthd | grep -v '^$\|^\s*\#'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="kerberos5"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
root@baneling:~# cat /etc/ldap/sasl2/slapd.conf
pwcheck_method:saslauthd
saslauthd_path:/var/run/saslauthd/mux
I can see my saslauthd socket listening and what I find really odd is
that I can see a successful authentication attempt from Kerberos's logs:
root@baneling:~# netstat -a I | grep sasl
unix 2 [ ACC ] STREAM LISTENING 25552431
/var/run/saslauthd/mux
I get this immediately after issuing the testsaslauthd command:
Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.30.18: NEEDED_PREAUTH: jschaef...@harmonywave.com
for krbtgt/harmonywave@harmonywave.com, Additional
pre-authentication required
Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.30.18: ISSUE: authtime 1474139353, etypes {rep=18
tkt=18 ses=18}, jschaef...@harmonywave.com for
krbtgt/harmonywave@harmonywave.com
You can also see it in the slapd logs:
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/harmonywave@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH
base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com"
scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH attr=cn
krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength
krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval
krbpwdlockoutduration krbpwdattributes krbpwdmaxlife
krbpwdmaxrenewablelife krbpwdallowedkeysalts
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH
base="dc=harmonywave,dc=com" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002
SASL pass-through fails
Hey all,
I've been using OpenLDAP and Kerberos for central authentication for a while
now, but I have a couple programs that can't use GSSAPI directly and I want to
setup SASL pass-through authentication to allow those services to use my
Kerberos passwords, but I'm having trouble getting saslauthd to work correctly.
I can authentication as myself using GSSAPI without any issue:
jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami
SASL/GSSAPI authentication started
SASL username: jschaef...@harmonywave.com
SASL SSF: 56
SASL data security layer installed.
dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com
But whenever I run the testsaslauthd command I can't get a successful
authentication:
root@baneling:~# testsaslauthd -u jschaef...@harmonywave.com -p
0: NO "authentication failed"
Here are my SASL settings:
root@baneling:~# cat /etc/default/saslauthd | grep -v '^$\|^\s*\#'
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="kerberos5"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
root@baneling:~# cat /etc/ldap/sasl2/slapd.conf
pwcheck_method:saslauthd
saslauthd_path:/var/run/saslauthd/mux
I can see my saslauthd socket listening and what I find really odd is that I
can see a successful authentication attempt from Kerberos's logs:
root@baneling:~# netstat -a I | grep sasl
unix 2 [ ACC ] STREAM LISTENING 25552431
/var/run/saslauthd/mux
I get this immediately after issuing the testsaslauthd command:
Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25
26}) 10.1.30.18: NEEDED_PREAUTH: jschaef...@harmonywave.com for
krbtgt/harmonywave@harmonywave.com, Additional pre-authentication required
Sep 17 13:09:13 immortal krb5kdc[1210](info): AS_REQ (6 etypes {18 17 16 23 25
26}) 10.1.30.18: ISSUE: authtime 1474139353, etypes {rep=18 tkt=18 ses=18},
jschaef...@harmonywave.com for krbtgt/harmonywave@harmonywave.com
You can also see it in the slapd logs:
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH base="dc=harmonywave,dc=com"
scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData
krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=197 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH base="dc=harmonywave,dc=com"
scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/harmonywave@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData
krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=198 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH
base="cn=default,cn=HARMONYWAVE.COM,cn=krbContainer,dc=harmonywave,dc=com" scope=0
deref=0 filter="(objectClass=krbPwdPolicy)"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SRCH attr=cn
krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength
krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval
krbpwdlockoutduration krbpwdattributes krbpwdmaxlife krbpwdmaxrenewablelife
krbpwdallowedkeysalts
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=199 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH base="dc=harmonywave,dc=com"
scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=jschaef...@harmonywave.com))"
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData
krbObjectReferences krbAllowedToDelegateTo
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=200 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 17 13:10:27 baneling slapd[2166]: conn=1002 op=201 SRCH base="dc=harmonywave,dc=com"
scope=2 deref=0
