Help with SASL/GSSAPI to remote Kerberos server

Jeffrey Altman jaltman at secure-endpoints.com
Tue Feb 19 19:22:04 EST 2008


Wes Modes wrote:
> To clarify. 
>
> To separate and modularize some of these services, we have three
> servers:  A file server running Samba;  A directory server running
> OpenLDAP to provide personal and group identities; and an authentication
> server running Kerberos (administered by another group).  Samba connects
> to OpenLDAP through smbldap-tools.  And OpenLDAP connects to the
> Kerberos server via SASL/GSSAPI.

smbldap-tools contacts the KDC (Kerberos server) and obtains a service 
ticket for the
OpenLDAP server.   In order for this to be possible there must be a 
service principal
in the KDC database for the OpenLDAP service and a keytab containing the 
matching
key(s) must be installed on the OpenLDAP server.

>
> When someone requests a Samba logon, Samba requests an LDAP bind, which
> in turn should use SASL to authenticate via Kerberos.
The service ticket for the OpenLDAP server is used to authenticate the 
connection between
Samba and OpenLDAP.
>
> The connection between Samba  and OpenLDAP is working swell.  It is the
> Kerberos connection that has me flummoxed. 
For what purpose is the OpenLDAP server communicating with the KDC?
>
> Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on
> one server, while the Kerberos KDC will be running on another server.  I
> haven't found any documents that address this not-so-wacky design.
>
> So when a document says, run kadmin.local, 
kadmin.local is a version of the kadmin tool that works only on the 
local system.
If you are not on the local system you use the 'kadmin' tool.
> to generate a principle, that
> is not available to me.  If I can ask specifically for what I want, I
> might be able to convince the kerberos administrators to do it for me,
> but I have to be pretty specific about what I want.
You have to explain what you want in this forum as well, otherwise you 
won't get
very many useful answers.
>
> The docs I'm referring to are
>
> Cyrus SASL for System Administrators
> http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
> <http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html>
>  
> OpenLDAP 2.2 Administrator's Guide - Using SASL
> http://www.openldap.org/doc/admin22/guide.html#Using%20SASL
>
>
> Thank you for the OpenLDAP config suggestions.  Those are more or less
> consistent with what I read. 
>
> However, in several documents, it was suggested that before you try
> connecting OpenLDAP to Kerberos that you test to make sure your Kerberos
> configuration is working.  
Again the question is connecting OpenLDAP to Kerberos for what purpose?

The KDC is not under your control so you do not have the ability to 
create new
principals or alter the configurations of the existing ones.

Are you really expecting the OpenLDAP server to establish a network channel
with the KDC?   What messages are you expecting to have sent?

Or are you simply confused about the concept of a service principal and the
associated key?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080219/d8d8ce1a/attachment.bin


More information about the Kerberos mailing list