LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Problem with kerberos sasl mapping in 389-ds? (http://www.linuxquestions.org/questions/linux-server-73/problem-with-kerberos-sasl-mapping-in-389-ds-4175444818/)

red888 01-09-2013 08:34 AM

Problem with kerberos sasl mapping in 389-ds?
 
I'm really pulling my hair out over this and have asked questions about this issue on multiple forums only to get 0 responses every time. All I ask is for least maybe some guidance to point me in the right direction. Or maybe someone could point out if this is just a poorly worded question so I could correct\add any information that would make it more palatable.

I have a fedora client that I am trying to authenticate to a centos server running 389 ds using kerberos.

I can run
Code:

kinit <my-user-principal>
on the fedora client successfully and get a ticket, and I can also make successful queries with
Quote:

ldapsearch -x
using simple authentication, but no matter what I try I just cannot authenticate with kerberos to the 389 server.

whenever I try
Quote:

ldapwhoami -I -Y GSSAPI
(this is of course after running kinit) I get the following error:

Quote:

SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: test@LAB2.LOCAL
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)
Doing a klist I can see I have my tickets:

Quote:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@LAB2.LOCAL

Valid starting Expires Service principal
01/09/13 00:26:58 01/10/13 00:26:58 krbtgt/LAB2.LOCAL@LAB2.LOCAL
renew until 01/09/13 00:26:58
01/09/13 00:27:45 01/10/13 00:26:58 ldap/dp100srv1.lab2.local@LAB2.LOCAL
renew until 01/09/13 00:26:58
I can run the following command to confirm my 389 server is offering the GSSAPI security mech:
Quote:

ldapsearch -H ldap://dp100srv1.lab2.local -x -b "" -s base -LLL supportedSASLMechanisms
Going to the 389 server I edited the nsslapd-accesslog-level attribute of cn=config to be 260 and when I checked the access log I found this (172.16.86.200 is the IP of my fedora client):

Quote:

tail -n 15 /var/log/dirsrv/slapd-dp100srv1/access
[09/Jan/2013:00:58:13 -0500] conn=130 fd=64 slot=64 connection from 172.16.86.200 to 172.16.86.100
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[09/Jan/2013:00:58:16 -0500] conn=130 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 UNBIND
[09/Jan/2013:00:58:16 -0500] conn=130 op=1 fd=64 closed - U1
What is BIND dn="" about? Is it trying to bind with a null DN?
The DN of my ldap user is:
Quote:

uid=test,ou=people,dc=lab2,dc=local
The kerberos SPN is:
Quote:

test@LAB2.LOCAL
According to the 389 docs the default sasl maps that are already configured should be enough for my purposes.

Where else can I look to troubleshoot this?

Also, the fact that I have asked this question many different ways in other places and received no responses makes me think I am doing something wrong. Please let me know if\why this is a stupid or bad question and I'll try to fix it.


All times are GMT -5. The time now is 04:53 PM.