FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-04-2011, 07:32 PM
"Trever L. Adams"
 
Default LDAP/SASL/GSSAPI

Hello everyone,

I am having some difficulty. I am using dovecot. I have it working with
LDAP as the backend for userdb. Unfortunately, the LDAP I am using is
now requiring SASL binds (GSSAPI/Kerberos is what I am going for).

Dovecot uses OpenLDAP/Cyrus SASL (at least in Fedora). I can't seem to
be able to convince it to use a keytab with service principals. It keeps
trying to look in a KRB5CCNAME cache file or the standard one for each
user. This is fine, other than I am not sure how to get a non-expiring
ticket that way.

So, this is all LDAP client, not server.

Anyone have any ideas?

Thank you,
Trever
--
"A citizen of America will cross the ocean to fight for democracy, but
won't cross the street to vote in a national election." -- Bill Vaughan


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-10-2011, 05:45 PM
Stephen Gallagher
 
Default LDAP/SASL/GSSAPI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/2011 03:32 PM, Trever L. Adams wrote:
> Hello everyone,
>
> I am having some difficulty. I am using dovecot. I have it working with
> LDAP as the backend for userdb. Unfortunately, the LDAP I am using is
> now requiring SASL binds (GSSAPI/Kerberos is what I am going for).
>
> Dovecot uses OpenLDAP/Cyrus SASL (at least in Fedora). I can't seem to
> be able to convince it to use a keytab with service principals. It keeps
> trying to look in a KRB5CCNAME cache file or the standard one for each
> user. This is fine, other than I am not sure how to get a non-expiring
> ticket that way.
>
> So, this is all LDAP client, not server.
>
> Anyone have any ideas?


There's really no such thing as a non-expiring ticket. You always need
to re-authenticate periodically to get a new ticket. Many deployments
allow tickets to be "renewable", however. This means you can use your
existing TGT to authenticate to get the new ticket (during the renewal
period).

If you are using SSSD 1.5 or later to authenticate users through
Kerberos, there is a built-in functionality to enable auto-renewal of
kerberos tickets.

See the options krb5_renewable_lifetime and krb5_renew_interval in
sssd-krb5(5) (man sssd-krb5)

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1UMlAACgkQeiVVYja6o6PsuQCgliUzZTcqnJ x7B6s74ykmzhrm
1nsAnjT5GjQTlzLyFVU0TOGMHtpnLh22
=pyVq
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-14-2011, 03:20 PM
"Trever L. Adams"
 
Default LDAP/SASL/GSSAPI

On 02/10/2011 11:45 AM, Stephen Gallagher wrote:
>
> There's really no such thing as a non-expiring ticket. You always need
> to re-authenticate periodically to get a new ticket. Many deployments
> allow tickets to be "renewable", however. This means you can use your
> existing TGT to authenticate to get the new ticket (during the renewal
> period).
>
> If you are using SSSD 1.5 or later to authenticate users through
> Kerberos, there is a built-in functionality to enable auto-renewal of
> kerberos tickets.
>
> See the options krb5_renewable_lifetime and krb5_renew_interval in
> sssd-krb5(5) (man sssd-krb5)
Thank you. I am using Samba 4. The problem seems to be that I cannot
kinit -k -t /etc/dovecot/krb5.keytab smtp/fqdn_host@REALM. I have the
keytab. IT has that entry. I get kinit: Client 'smtp/fqdn_host@REALM'
not found in Kerberos database while getting initial credentials.

If I could figure this out, I think I would have my entire problem fixed.

Thank you for responding.

Trever
--
"...very few phenomena can pull someone out of Deep Hack Mode, with two
noted exceptions: being struck by lightning, or worse, your *computer*
being struck by lightning." -- Matt Welsh

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-14-2011, 07:52 PM
Stephen Gallagher
 
Default LDAP/SASL/GSSAPI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2011 11:20 AM, Trever L. Adams wrote:
> Thank you. I am using Samba 4. The problem seems to be that I cannot
> kinit -k -t /etc/dovecot/krb5.keytab smtp/fqdn_host@REALM. I have the
> keytab. IT has that entry. I get kinit: Client 'smtp/fqdn_host@REALM'
> not found in Kerberos database while getting initial credentials.
>
> If I could figure this out, I think I would have my entire problem fixed.
>
> Thank you for responding.

That's a server-side error. The server is claiming that smtp/fqdn isn't
listed in its database. You need to check the kerberos logs on the
server (or if you don't have access to them, you need to contact your
system administrator for further help)

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ZlggACgkQeiVVYja6o6OpBQCfdr6sR9paP8 ZwLarOOIVS2YUV
/MUAn3KIedwceMROkjQ9rCV+YtGEuJNj
=Cg2J
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-25-2011, 11:08 AM
"Trever L. Adams"
 
Default LDAP/SASL/GSSAPI

Sorry for top posting, etc. The problem is common to Samba4 and AD. SPNs cannot login this way by design. I switched to using the UPN that the SPN is attached to. Problem solved.* Thank you very much.

Trever

-----Original message-----
From: Stephen Gallagher <sgallagh@redhat.com>
To: users@lists.fedoraproject.org
Sent: Mon, Feb 14, 2011 20:55:09 GMT+00:00
Subject: Re: LDAP/SASL/GSSAPI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2011 11:20 AM, Trever L. Adams wrote:
> Thank you. I am using Samba 4. The problem seems to be that I cannot
> kinit -k -t /etc/dovecot/krb5.keytab smtp/fqdn_host@REALM. I have the
> keytab. IT has that entry. I get kinit: Client 'smtp/fqdn_host@REALM'
> not found in Kerberos database while getting initial credentials.
>
> If I could figure this out, I think I would have my entire problem fixed.
>
> Thank you for responding.

That's a server-side error. The server is claiming that smtp/fqdn isn't
listed in its database. You need to check the kerberos logs on the
server (or if you don't have access to them, you need to contact your
system administrator for further help)

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ZlggACgkQeiVVYja6o6OpBQCfdr6sR9paP8 ZwLarOOIVS2YUV
/MUAn3KIedwceMROkjQ9rCV+YtGEuJNj
=Cg2J
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-25-2011, 01:16 PM
James McKenzie
 
Default LDAP/SASL/GSSAPI

On Fri, Feb 25, 2011 at 5:08 AM, Trever L. Adams <trever.adams@gmail.com> wrote:
> Sorry for top posting, etc. The problem is common to Samba4 and AD. SPNs
> cannot login this way by design. I switched to using the UPN that the SPN is
> attached to. Problem solved.* Thank you very much.
>
> Trever
>
Please add a [SOLVED] so others can find the solution you found if
this is indeed solved.

Thank you.

James McKenzie
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 06:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org