GSSAPI authentication to Directory Server

10-04-2010, 04:12 PM

I'm trying to follow the Kerberos howto guide at http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:
$ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o mech=GSSAPI -o authid="mcarey@STATION1.EXAMPLE.COM"* -o authzid="mcarey@STATION1.EXAMPLE.COM" -b "dc=example,dc=com" "(cn=*)"
Bind Error: Invalid credentials
Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

Attempt with OpenLDAP client:
$ /usr/bin/ldapsearch* -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://station1.example.com -b "dc=example,dc=com"
"(cn=*)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
*** additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context

Resulting in the following entries in the access log on the DS:
# tail -5 access
[04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45 to 10.100.0.45
[04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND
[04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1

From what I can tell the Kerberos infrastructure and OS components are setup accordingly:
GSSAPI is a viable SASL mechanism:
$ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base "(objectClass=*)" supportedSASLMechanisms
version:
1
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: PLAIN

Directory Server keytab and contents:
# grep "nsslapd-localuser" dse.ldif
nsslapd-localuser: nobody
# ls -la ds.keytab
-rw------- 1 nobody nobody 172 Oct* 3 13:21 ds.keytab
# ktutil
ktutil:* rkt ./ds.keytab
ktutil:* l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
** 1*** 3 ldap/station1.example.com@STATION1.EXAMPLE.COM
** 2*** 3 ldap/station1.example.com@STATION1.EXAMPLE.COM
# grep KRB /etc/sysconfig/dirsrv
KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME

SASL maps in Directory Server:
dn: cn=Kerberos uid
mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: Kerberos uid mapping
nsSaslMapRegexString: (.*)@(.*).(.*)
nsSaslMapBaseDNTemplate: dc=2,dc=3
nsSaslMapFilterTemplate: (uid=1)

dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: Station1 Kerberos Mapping
nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
nsSaslMapBaseDNTemplate: uid=1,ou=People,dc=example,dc=com

dn: cn=station1 map,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: example map
cn: station1 map
nsSaslMapRegexString: (.*)
nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
nsSaslMapFilterTemplate: (cn=1)

Getting a ticket from the KDC:
[mcarey@station1 ~]$ kdestroy
[mcarey@station1 ~]$ kinit
Password for
mcarey@STATION1.EXAMPLE.COM:
[mcarey@station1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20
Default principal: mcarey@STATION1.EXAMPLE.COM
Valid starting**** Expires*********** Service principal
10/04/10 10:57:20* 10/04/10 17:37:20* krbtgt/STATION1.EXAMPLE.COM@STATION1.EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt5000
klist: You have no tickets cached

Any help or pointers people have would be greatly appreciated.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users