Unable to run SASL using GSSAPI/kerberos 5 as authentication against Sun One Directory Server

Alberto Patino jalbertop at aranea.com.mx
Mon Mar 1 13:38:54 EST 2004 

On Mon, 2004-03-01 at 08:56, Vikas Gandhi wrote:
> I am tring to run the same example that Microsoft has given for
> authentication. I am tring this sample against SEAM and not AD.
First thing is that I think this is not a SEAM a.k.a. MIT problem.
SEAM is the MIT version of the kdc for Solaris, but the Microsoft sample
do LDAP things against AD y just use the kerberos stuff to set the 
password in the kerberos principal.

The MS sample works fine against AD but if I remember you need to do
changes in the gsssasl source code to work against OpenLDAP or in your
case Sun One DS.

One of the changes I did was to remove the "dn:" string and send instead
an empty string "" to the Unix Server in the saslbind negotiation.

> FYI: I am able to run gssapi samples successfully. Also
> /var/Sun/mps/shared/bin/ldapsearch -o mech=GSSAPI   -h blade  -p 389 
> -o realm="quark.co.in" -o authzid="test at QUARK.CO.IN"   -b
> "ou=people,dc=quark,dc=co,dc=in" objectclass=*
> runs well So I know that I do not have installing probs.
> 
> Though I am abl to get the ticket still error.txt(attaches is the
> output)
> 
> $klist
> Ticket cache: /tmp/krb5cc_1023
> Default principal: test at QUARK.CO.IN
> 
> Valid starting                       Expires                      
> Service principal
> Fri Feb 27 20:22:14 2004  Sat Feb 28 04:22:14 2004 
> krbtgt/QUARK.CO.IN at QUARK.CO.IN
> Fri Feb 27 20:26:52 2004  Sat Feb 28 04:22:14 2004 
> ldap/blade.quark.co.in at QUARK.CO.IN
> 
> 
> Any small hint shall also be of great use.
> ---------------------------Output at full log
> traceLevel-----------------------------
> ldap_open
> ldap_init
> nsldapi_open_ldap_connection
> nsldapi_connect_to_host: blade:389
> sd 4 connected to: 10.91.198.100
> ldap_open successful, ld_host is (null)
> LDAP service name: ldap at blade
> ==> client_establish_context
> Sending init_sec_context token (size=466)...
> 60 82 01 ce 06 09 2a 86 48 86 f7 12 01 02 02 01
> 00 6e 82 01 bd 30 82 01 b9 a0 03 02 01 05 a1 03
> 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 01 01
> 61 81 fe 30 81 fb a0 03 02 01 05 a1 0d 1b 0b 51
> 55 41 52 4b 2e 43 4f 2e 49 4e a2 24 30 22 a0 03
> 02 01 03 a1 1b 30 19 1b 04 6c 64 61 70 1b 11 62
> 6c 61 64 65 2e 71 75 61 72 6b 2e 63 6f 2e 69 6e
> a3 81 be 30 81 bb a0 03 02 01 01 a2 81 b3 04 81
> b0 a9 d9 b3 6e 42 77 5e a8 82 7b a5 16 98 79 0c
> 1e a3 70 00 45 f2 d4 cc 23 9d ef ca d5 ea 7a 12
> f2 42 a8 44 a1 6a a0 b0 c1 37 b8 68 fa 6f 22 f1
> a3 79 ce 4c db c4 b9 02 b6 04 10 f5 ec 22 03 c9
> 55 53 6b 4d e3 f9 d5 0e 7a 43 7a 40 35 95 4f 33
> 74 9c 82 c3 29 36 cf 7c 04 1d ab b7 c6 9e 43 f0
> 78 0c 9f d1 49 bf ec c9 83 45 34 a9 e6 df 99 56
> c0 06 04 36 bc f3 f1 bd f1 f8 30 0b 12 01 0a d4
> e9 da 84 e7 71 3a d5 7c 90 02 64 eb 74 96 d3 5d
> 69 b5 0c 5e 20 02 32 cc 34 e9 06 0e 18 9f 16 00
> bd bf b3 9f f7 59 3c 3f 5f bc d7 4a e5 32 8f 51
> 98 a4 81 9e 30 81 9b a0 03 02 01 01 a2 81 93 04
> 81 90 81 1c 61 cf 45 b3 8e 8b b7 a1 b8 2e 1f da
> ef b8 c0 be 9c 60 3a e3 08 43 52 37 2a 99 02 9d
> 50 05 61 1b 04 4a 17 2d 89 da 12 11 3d 1e 93 f1
> d8 64 eb b0 7f 0e 5d 34 c5 35 92 6d aa fc 80 bd
> 1d a8 e3 40 1b 17 8c 63 d2 12 b9 1c 51 84 7c 9e
> f2 d7 9b 7f 39 bb 3e e8 37 6c cd 01 86 92 3c 02
> fb 04 18 58 81 c5 4d 3d d2 ae 22 d4 c4 c2 39 ba
> dd 6f ac c0 46 a9 25 c6 5f cb e2 77 a2 82 d8 e4
> f1 5e 7f ca 75 3a 5e 41 72 d4 cc d4 6a 32 ef 17
> cd e0
> ==> send_token
> ldap_sasl_bind
> nsldapi_send_initial_request
> nsldapi_send_server_request
> <== send_token
> continue needed...
> ==> recv_token
> ldap_result
> nsldapi_result_nolock
> wait4msg (infinite timeout)
> ** Connections:
> * host: blade  port: 389  secure: No  (default)
>   refcnt: 2  status: Connected
>   last used: Mon Mar  1 13:47:58 2004
> 
> ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
>    pending bind DN: <uid=test,ou=people,dc=quark,dc=co,dc=in>
> ** Response Queue:
>    Empty
> nsldapi_do_ldap_select
> read1msg
> got RESULT msgid 1, original id 1
> check_for_refs
> check_for_refs: new result: msgid 1, res_errno 14,  res_error <>,
> res_matched <>
> check_for_refs: 0 new refs(s); chasing 0 of them
> request 1 done
> res_errno: 14, res_error: <>, res_matched: <>
> nsldapi_free_request (origid 1, msgid 1)
> nsldapi_free_connection
> nsldapi_free_connection: refcnt 1
> ldap_parse_sasl_bind_result
> ldap_msgfree
> <== recv_token
> <== recv_token
> Received token (size=106)...
> 60 68 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f
> 59 30 57 a0 03 02 01 05 a1 03 02 01 0f a2 4b 30
> 49 a0 03 02 01 01 a2 42 04 40 89 2a a0 b6 b6 65
> 98 f1 79 2f 8a 9d ce 92 cc 32 12 86 d9 2a 73 49
> 02 12 17 0e 41 88 5e c0 09 78 19 c2 b6 00 93 b6
> 16 35 33 43 7e 81 4f ec d2 9d 99 e0 c1 5c 5b ee
> 1c 13 88 46 7a 09 dd 92 30 ea
> Sending init_sec_context token (size=0)...
> 
> ==> send_token
> ldap_sasl_bind
> nsldapi_send_initial_request
> nsldapi_send_server_request
> <== send_token
> <== client_establish_context
> ==> negotiate_security_options
> ==> recv_token
> ldap_result
> nsldapi_result_nolock
> wait4msg (infinite timeout)
> ** Connections:
> * host: blade  port: 389  secure: No  (default)
>   refcnt: 2  status: Connected
>   last used: Mon Mar  1 13:47:58 2004
> 
> ** Outstanding Requests:
>  * msgid 2,  origid 2, status InProgress
>    outstanding referrals 0, parent count 0
>    pending bind DN: <uid=test,ou=people,dc=quark,dc=co,dc=in>
> ** Response Queue:
>    Empty
> nsldapi_do_ldap_select
> read1msg
> got RESULT msgid 2, original id 2
> check_for_refs
> check_for_refs: new result: msgid 2, res_errno 14,  res_error <>,
> res_matched <>
> check_for_refs: 0 new refs(s); chasing 0 of them
> request 2 done
> res_errno: 14, res_error: <>, res_matched: <>
> nsldapi_free_request (origid 2, msgid 2)
> nsldapi_free_connection
> nsldapi_free_connection: refcnt 1
> ldap_parse_sasl_bind_result
> ldap_msgfree
> <== recv_token
> <== recv_token
> Received token (size=53)...
> 60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00
> 00 ff ff ff ff bf c6 cc 61 b8 48 2f 1e 6f 44 28
> 77 d6 81 34 3f 24 26 0c 24 1d a6 6e 31 01 00 ff
> ff 04 04 04 04
> Received security token level 1 size 65535
> Sending security token level 1 size 65535
> ==> send_token
> ldap_sasl_bind
> nsldapi_send_initial_request
> nsldapi_send_server_request
> <== send_token
> ==> parse_bind_result
> ldap_result
> nsldapi_result_nolock
> wait4msg (infinite timeout)
> ** Connections:
> * host: blade  port: 389  secure: No  (default)
>   refcnt: 2  status: Connected
>   last used: Mon Mar  1 13:47:58 2004
> 
> ** Outstanding Requests:
>  * msgid 3,  origid 3, status InProgress
>    outstanding referrals 0, parent count 0
>    pending bind DN: <uid=test,ou=people,dc=quark,dc=co,dc=in>
> ** Response Queue:
>    Empty
> nsldapi_do_ldap_select
> read1msg
> got RESULT msgid 3, original id 3
> check_for_refs
> check_for_refs: new result: msgid 3, res_errno 49,  res_error
> <SASL(-1): generic failure: >, res_matched <>
> check_for_refs: 0 new refs(s); chasing 0 of them
> request 3 done
> res_errno: 49, res_error: <SASL(-1): generic failure: >, res_matched:
> <>
> nsldapi_free_request (origid 3, msgid 3)
> nsldapi_free_connection
> nsldapi_free_connection: refcnt 1
> ldap_first_message
> ldap_first_message::LDAP_RES_BIND
> ldap_msgfree
> <== parse_bind_result
> rc !=0 after parse_bind_result
> <== negotiate_security_options
> after negotiate_security_options -1
>  after ldap_gssapi_bind
> an error occurred in ldap_gssapi_bind
> ldap_perror
> ldap_gssapi_bind: Requested LDAP control not found
> ldap_unbind
> nsldapi_free_connection
> nsldapi_send_unbind
> nsldapi_free_connection: actually freed
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list