[30908] in Kerberos

home help back first fref pref prev next nref lref last post

RE: SASL authentication

daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Sun Mar 22 23:17:02 2009

From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>,
   "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 23 Mar 2009 11:15:16 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172905443498@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <9vmd96-1dp.ln1@nb2.stroeder.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

> -----Original Message-----
> From: kerberos-bounces@mit.edu 
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Michael Str?der
> Sent: Saturday, March 21, 2009 7:55 AM
> To: kerberos@mit.edu
> Subject: Re: SASL authentication
> 
> As I understood the original poster he wants to use LDAP SASL 
> Bind with mechanism GSSAPI in his LDAP client when accessing 
> MS AD. For this to work a normal kinit should be sufficient 
> for a first test of his LDAP client code.
> 
> If his own LDAP *client* runs as a long-running service (e.g. 
> a networked printer) then he would need a keytab extracted 
> with the help of ktpass.exe. AFAICS in these postings the 
> first test did not succeed yet.

Yes, my LDAP client runs in a networked printer, which is not in the same realm as the Kerberos server and LDAP server. Therefore, maybe a keytab file is necessary for me?

> You create a user with a sAMAccountName and a 
> userPrincipalName (LDAP attribute names) and then use this 
> userPrincipalName as parameter for kinit. LDAP-bind with 
> SASL/GSSAPI will automagically obtain a service ticket. See 
> my local test with OpenLDAP command-line tool below (all 
> names manually obfuscated).
> 
> If something fails check your DNS and /etc/krb5.conf 
> especially regarding enc types.

Basically, my test is almost the same as what you've done in the following. But in doing ldapsearch, I've met an error:
========================================================
qxu@durian(pts/3):/etc[14]$ kinit -f qxu@SESSWIN2003.COM 
Password for qxu@SESSWIN2003.COM: 

qxu@durian(pts/3):/etc[15]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: qxu@SESSWIN2003.COM
 
Valid starting     Expires            Service principal
03/20/09 15:07:19  03/21/09 01:06:54  krbtgt/SESSWIN2003.COM@SESSWIN2003.COM
        renew until 03/21/09 15:07:19
 

Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached

qxu@durian(pts/3):/etc[17]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) 
========================================================
Is the message "Server not found in Kerberos database" means I need a keytab file?

Thank you, Michael!
Xu Qiang
 
> Maybe I got the original poster wrong though...
> 
> Ciao, Michael.
> 
> -----------Get Ticket Granting Ticket (TGT)----------- 
> $ kinit username@TESTDOMAIN.DOM 
> Password for username@TESTDOMAIN.DOM:
> 
> -----------List Tickets-----------
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_4242
> Default principal: username@TESTDOMAIN.DOM
> 
> Valid starting     Expires            Service principal
> 03/21/09 00:39:14  03/21/09 10:39:16  
> krbtgt/TESTDOMAIN.DOM@TESTDOMAIN.DOM
> 	renew until 03/22/09 00:39:14
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt4242
> klist: You have no tickets cached
> 
> -----------LDAP-Bind SASL/GSSAPI----------- 
> $ ldapsearch -H ldap://dc1.testdomain.dom -b "" -s base -Y 
> GSSAPI "(objectClass=*)" namingContexts 
> SASL/GSSAPI authentication started 
> SASL username: username@TESTDOMAIN.DOM 
> SASL SSF: 56 SASL data security layer installed.
> dn:
> namingContexts: DC=testdomain,DC=dom
> namingContexts: CN=Configuration,DC=testdomain,DC=dom
> namingContexts: CN=Schema,CN=Configuration,DC=testdomain,DC=dom
> namingContexts: DC=DomainDnsZones,DC=testdomain,DC=dom
> namingContexts: DC=ForestDnsZones,DC=testdomain,DC=dom
> 
> -----------List Tickets-----------
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_4242
> Default principal: username@TESTDOMAIN.DOM
> 
> Valid starting     Expires            Service principal
> 03/21/09 00:39:14  03/21/09 10:39:16  
> krbtgt/TESTDOMAIN.DOM@TESTDOMAIN.DOM
> 	renew until 03/22/09 00:39:14
> 03/21/09 00:40:57  03/21/09 10:39:16  
> ldap/dc1.testdomain.dom@TESTDOMAIN.DOM
> 	renew until 03/22/09 00:39:14
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post