LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   GSSAPI and Cyrus SASL: testing failed (https://www.linuxquestions.org/questions/linux-networking-3/gssapi-and-cyrus-sasl-testing-failed-575419/)

licht 08-07-2007 02:38 PM
GSSAPI and Cyrus SASL: testing failed
 
Cyrus SASL lib and MIT kerberos installed.

But testing w/ negotiation between sample-server and sample-client failed:

run "./sample-server -s ldap -p ../plugins/.libs" gives me

Quote:
Generating client mechanism list...
Sending list of 7 mechanism(s)
S: Q1JBTS1NRDUgUExBSU4gR1NTQVBJIERJR0VTVC1NRDUgTE9HSU4gT1RQIEFOT05ZTU9VUw==
Waiting for client mechanism...
run "./sample-client -s ldap -n host.company.com -u user -p ../plugins/.libs" gives me

Quote:
service=ldap
Waiting for mechanism list from server...
where "ldap" and "user" is in kerberos and "kinit user" succeeds and kerberos should work (can be used for login with pam_krb5) and keys are extracted to krb5.keytab.

Then, after copy the whole line from "S:" to client, client script quit and complains the following:

Quote:
lt-sample-client: Decoding data from base64: bad protocol / cancel
In fact, the same error message is shown no matter if a "kinit" is issued previously or no "-s", "-p", "-n", or "-u" used for sample-server and sample-client at all.

or maybe the line starting w/ "S:" was not correctly copied and pasted to the client side? I tried to copy and paste until the last "=" sign but the client just sit there and did nothing. So, I guess the client should wait for some terminating char(s). Then I tried to hit "Enter" but that gave me the same error...

So, what might cause this problem? Could be configuration option like mit kerberos gssapi lib path or something?

Thanks!

licht 08-07-2007 05:35 PM
Solved and new problems found.

Cause: this seems to be a bug coming with cyrus-sasl-2.1.22. There are 2 places in "samp_recv()". One in sample-server.c and the other in sample-client.c. When whole line (S: or C: ) is copied there is a NEWLINE after the exchange message text. In "samp_recv()", the length of this exchange message text is calculated as "(unsigned) strlen(buf + 3)". But correct length should be ONE LESS of this value. As a result, wrong length caused either server and client to see a wrong encoded text and quit at the end.

Sol: find where "sasl_decode64" is called in "samp_recv()" in both .c files and make them look like this:

Quote:
result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3) -1, buf, SAMPLE_SEC_BUF_SIZE, &len);
New problem:
- Copy 1st "S:" line from server to client
- Client prompts the following message and then generate "C:" line.

Quote:
Choosing best mechanism from: PLAIN LOGIN GSSAPI ANONYMOUS OTP CRAM-MD5 DIGEST-MD5
returning OK: user
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJ....
- Copy this "C:" line to the server, server displays the following error message:

Quote:
got 'GSSAPI'
lt-sample-server: SASL Other: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
Any thoughts about this? Thanks!


All times are GMT -5. The time now is 05:48 PM.