LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-07-2007, 02:38 PM   #1
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Rep: Reputation: 15
Question GSSAPI and Cyrus SASL: testing failed


Cyrus SASL lib and MIT kerberos installed.

But testing w/ negotiation between sample-server and sample-client failed:

run "./sample-server -s ldap -p ../plugins/.libs" gives me

Quote:
Generating client mechanism list...
Sending list of 7 mechanism(s)
S: Q1JBTS1NRDUgUExBSU4gR1NTQVBJIERJR0VTVC1NRDUgTE9HSU4gT1RQIEFOT05ZTU9VUw==
Waiting for client mechanism...
run "./sample-client -s ldap -n host.company.com -u user -p ../plugins/.libs" gives me

Quote:
service=ldap
Waiting for mechanism list from server...
where "ldap" and "user" is in kerberos and "kinit user" succeeds and kerberos should work (can be used for login with pam_krb5) and keys are extracted to krb5.keytab.

Then, after copy the whole line from "S:" to client, client script quit and complains the following:

Quote:
lt-sample-client: Decoding data from base64: bad protocol / cancel
In fact, the same error message is shown no matter if a "kinit" is issued previously or no "-s", "-p", "-n", or "-u" used for sample-server and sample-client at all.

or maybe the line starting w/ "S:" was not correctly copied and pasted to the client side? I tried to copy and paste until the last "=" sign but the client just sit there and did nothing. So, I guess the client should wait for some terminating char(s). Then I tried to hit "Enter" but that gave me the same error...

So, what might cause this problem? Could be configuration option like mit kerberos gssapi lib path or something?

Thanks!

Last edited by licht; 08-07-2007 at 03:28 PM.
 
Old 08-07-2007, 05:35 PM   #2
licht
Member
 
Registered: Mar 2005
Location: chicago
Distribution: red hat 9.0
Posts: 59

Original Poster
Rep: Reputation: 15
Solved and new problems found.

Cause: this seems to be a bug coming with cyrus-sasl-2.1.22. There are 2 places in "samp_recv()". One in sample-server.c and the other in sample-client.c. When whole line (S: or C: ) is copied there is a NEWLINE after the exchange message text. In "samp_recv()", the length of this exchange message text is calculated as "(unsigned) strlen(buf + 3)". But correct length should be ONE LESS of this value. As a result, wrong length caused either server and client to see a wrong encoded text and quit at the end.

Sol: find where "sasl_decode64" is called in "samp_recv()" in both .c files and make them look like this:

Quote:
result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3) -1, buf, SAMPLE_SEC_BUF_SIZE, &len);
New problem:
- Copy 1st "S:" line from server to client
- Client prompts the following message and then generate "C:" line.

Quote:
Choosing best mechanism from: PLAIN LOGIN GSSAPI ANONYMOUS OTP CRAM-MD5 DIGEST-MD5
returning OK: user
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJ....
- Copy this "C:" line to the server, server displays the following error message:

Quote:
got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
Any thoughts about this? Thanks!

Last edited by licht; 08-07-2007 at 05:47 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
i have a problem with cyrus-sasl-2.1.22, help me please! bss Linux - Server 4 12-20-2006 04:11 AM
Help Regarding Cyrus SASL pushpraj Linux - Newbie 1 11-28-2006 04:11 PM
Cyrus SASL authd tommytomato Linux - Software 0 05-09-2006 01:12 AM
ldap SASL GSSAPI , unknown authorization mechanism mesh2005 Linux - Networking 0 11-20-2005 08:16 AM
Cyrus SASL help littlebill Red Hat 0 10-02-2004 08:43 PM


All times are GMT -5. The time now is 05:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration