Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   GSSAPI authentication between 1.2.10 and 1.2.11 (http://www.linux-archive.org/fedora-directory/672503-gssapi-authentication-between-1-2-10-1-2-11-a.html)

"Edward Z. Yang" 05-30-2012 04:54 AM

GSSAPI authentication between 1.2.10 and 1.2.11
 
Hello all,

We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
However, we are getting an unspecified GSSAPI error. Are there
any known bugs / changes that could possible cause this to happen?

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Mark Reynolds 05-30-2012 08:30 PM

GSSAPI authentication between 1.2.10 and 1.2.11
 
Edward,

What is the error you are getting?

Mark

On 05/30/2012 12:54 AM, Edward Z. Yang wrote:

Hello all,

We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
However, we are getting an unspecified GSSAPI error. Are there
any known bugs / changes that could possible cause this to happen?

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreynolds@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"Edward Z. Yang" 05-30-2012 10:20 PM

GSSAPI authentication between 1.2.10 and 1.2.11
 
We haven't been able to get anything more specific than err=49.

Edward

Excerpts from Mark Reynolds's message of Wed May 30 16:30:00 -0400 2012:
> Edward,
>
> What is the error you are getting?
>
> Mark
>
> On 05/30/2012 12:54 AM, Edward Z. Yang wrote:
> > Hello all,
> >
> > We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
> > between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
> > However, we are getting an unspecified GSSAPI error. Are there
> > any known bugs / changes that could possible cause this to happen?
> >
> > Edward
> > --
> > 389 users mailing list
> > 389-users@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Mark Reynolds 05-30-2012 10:42 PM

GSSAPI authentication between 1.2.10 and 1.2.11
 
Are you using ldapsearch?

Anyway, double check these settings:

[1] /etc/sysconfig/dirsrv-INSTANCE

make sure that KRB5_KTNAME points to the correct keytab file!!

[2] Check your DS mappings in the dse.ldif (you can only edit this
file, when the server is stopped)


Make sure the nsSaslMapBaseDNTemplate attr points to your correct DIT
name(dc=company,dc=com, etc)


dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: o=testsasl.com

[3] Make sure /etc/krb5.conf is configured correctly

[4] If this fails, stop slapd, edit dse.ldif and add
"nsslapd-errorlog-level: 1" to the cn=config entry


-> then reproduce the error, and send me the error log. Then you can
unset that attribute, as it will significantly degrade performance.


There are a lot of other factors, like are your keytabs correct? Is DNS
correctly working? Etc.


Mark

On 05/30/2012 06:20 PM, Edward Z. Yang wrote:

We haven't been able to get anything more specific than err=49.

Edward

Excerpts from Mark Reynolds's message of Wed May 30 16:30:00 -0400 2012:

Edward,

What is the error you are getting?

Mark

On 05/30/2012 12:54 AM, Edward Z. Yang wrote:

Hello all,

We are trying to setup GSSAPI SASL authentication using Kerberos keytabs
between 389-ds 1.2.10.6 (on Fedora 15) and 1.2.11.4 (on Fedora 17).
However, we are getting an unspecified GSSAPI error. Are there
any known bugs / changes that could possible cause this to happen?

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreynolds@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"Edward Z. Yang" 06-01-2012 03:07 AM

GSSAPI authentication between 1.2.10 and 1.2.11
 
Hello Mark,

It looks like with the systemd-ification of meant specifying
KRB5_KTNAME in /etc/sysconfig/dirsrv no longer works; when
I moved the environment variable to /etc/sysconfig/dirsrv-scripts
it started working. This is probably a bug; I'll make sure I
diagnosed this correctly and then file a report.

If dirsrv could add a log message saying something to the effect
of "using Kerberos keytab at ..." that would probably be great :-)

Edward
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 10:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.