heimdal kerberos in openldap issue

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Brian on Server Fault See other posts from Server Fault or by Brian
Published on 2012-11-11T21:01:09Z Indexed on 2012/11/11 23:02 UTC
Read the original article Hit count: 632

Filed under:
|
|
|

I think I posted this on the wrong 'sister site', so here it is.

I'm having a bit of trouble getting Kerberos (Heimdal version) to work nicely with OpenLDAP. The kerberos database is being stored in LDAP itself. The KDC uses SASL EXTERNAL authentication as root to access the container ou.

I created the database in LDAP fine using kadmin -l, but it won't let me use kadmin without the -l flag:

root@rds0:~# kadmin -l
kadmin> list *
krbtgt/REALM
kadmin/changepw
kadmin/admin
changepw/kerberos
kadmin/hprop
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
default
brian.empson
brian.empson/admin
host/rds0.example.net
ldap/rds0.example.net
host/localhost
kadmin> exit
root@rds0:~# kadmin
kadmin> list *
brian.empson/admin@REALM's Password:      <----- With right password
kadmin: kadm5_get_principals: Key table entry not found
kadmin> list *
brian.empson/admin@REALM's Password:       <------ With wrong password
kadmin: kadm5_get_principals: Already tried ENC-TS-info, looping
kadmin>

I can get tickets without a problem:

root@rds0:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: brian.empson@REALM

  Issued                Expires               Principal
Nov 11 14:14:40 2012  Nov 12 00:14:37 2012  krbtgt/REALM@REALM
Nov 11 14:40:35 2012  Nov 12 00:14:37 2012  ldap/rds0.example.net@REALM

But I can't seem to change my own password without kadmin -l:

root@rds0:~# kpasswd
brian.empson@REALM's Password:      <---- Right password
New password:
Verify password - New password:
Auth error : Authentication failed
root@rds0:~# kpasswd
brian.empson@REALM's Password:       <---- Wrong password
kpasswd: krb5_get_init_creds: Already tried ENC-TS-info, looping

kadmin's logs are not helpful at all:

2012-11-11T13:48:33 krb5_recvauth: Key table entry not found
2012-11-11T13:51:18 krb5_recvauth: Key table entry not found
2012-11-11T13:53:02 krb5_recvauth: Key table entry not found
2012-11-11T14:16:34 krb5_recvauth: Key table entry not found
2012-11-11T14:20:24 krb5_recvauth: Key table entry not found
2012-11-11T14:20:44 krb5_recvauth: Key table entry not found
2012-11-11T14:21:29 krb5_recvauth: Key table entry not found
2012-11-11T14:21:46 krb5_recvauth: Key table entry not found
2012-11-11T14:23:09 krb5_recvauth: Key table entry not found
2012-11-11T14:45:39 krb5_recvauth: Key table entry not found

The KDC reports that both accounts succeed in authenticating:

2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:48:03 sending 294 bytes to IPv4:192.168.72.10
2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 ENC-TS Pre-authentication succeeded -- brian.empson@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 ENC-TS pre-authentication succeeded -- brian.empson@REALM
2012-11-11T14:48:03 AS-REQ authtime: 2012-11-11T14:48:03 starttime: unset endtime: 2012-11-11T14:53:00 renew till: unset
2012-11-11T14:48:03 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 sending 704 bytes to IPv4:192.168.72.10

2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:45:39 sending 303 bytes to IPv4:192.168.72.10
2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 ENC-TS Pre-authentication succeeded -- brian.empson/admin@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 ENC-TS pre-authentication succeeded -- brian.empson/admin@REALM
2012-11-11T14:45:39 AS-REQ authtime: 2012-11-11T14:45:39 starttime: unset endtime: 2012-11-11T15:45:39 renew till: unset
2012-11-11T14:45:39 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 sending 717 bytes to IPv4:192.168.72.10

I wish I had more detailed logging messages, running kadmind in debug mode seems to almost work but it just kicks me back to the shell when I type in the correct password.

GSSAPI via LDAP doesn't work either, but I suspect it's because some parts of kerberos aren't working either:

root@rds0:~# ldapsearch -Y GSSAPI -H ldaps:/// -b "o=mybase" o=mybase
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()
root@rds0:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b "o=mybase" o=mybase
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
<snip>

Would anyone be able to point me in the right direction?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about authentication

Related posts about openldap

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle