Help with SASL/GSSAPI to remote Kerberos server
Wes Modes
wmodes at ucsc.edu
Tue Feb 19 19:49:38 EST 2008
Jeffrey Altman wrote:
> Wes Modes wrote:
>> To clarify.
>> To separate and modularize some of these services, we have three
>> servers: A file server running Samba; A directory server running
>> OpenLDAP to provide personal and group identities; and an authentication
>> server running Kerberos (administered by another group). Samba connects
>> to OpenLDAP through smbldap-tools. And OpenLDAP connects to the
>> Kerberos server via SASL/GSSAPI.
>
> smbldap-tools contacts the KDC (Kerberos server) and obtains a service
> ticket for the
> OpenLDAP server. In order for this to be possible there must be a
> service principal
> in the KDC database for the OpenLDAP service and a keytab containing
> the matching
> key(s) must be installed on the OpenLDAP server.
I understand that you are saying that instead of the ldap-bind, one can
configure smbldap-tools to do a Kerberos authentication instead. In
that configuration, one would not need SASL at all.
In my case, smbldap-tools are running on the Samba server, and while it
might be possible (and I might be forced to) configure smbldap-tools to
do the kerberos auth, I'd like to do it indirectly via LDAP and
SASL/GSSAPI. Reason for this is that eventually, our campus kerberos
service will be replaced with a secure LDAP auth.
But it remains an open question for me whether it is possible to have
Samba/smbldap-tools ask LDAP/GSSAPI which indirectly asks Kerberos for
authentication.
>
>>
>> When someone requests a Samba logon, Samba requests an LDAP bind, which
>> in turn should use SASL to authenticate via Kerberos.
> The service ticket for the OpenLDAP server is used to authenticate the
> connection between
> Samba and OpenLDAP.
Right now I don't have a problem connecting OpenLDAP and Samba via TLS
authenticaion
.
>>
>> The connection between Samba and OpenLDAP is working swell. It is the
>> Kerberos connection that has me flummoxed.
> For what purpose is the OpenLDAP server communicating with the KDC?
See above.
>>
>> Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on
>> one server, while the Kerberos KDC will be running on another server. I
>> haven't found any documents that address this not-so-wacky design.
>>
>> So when a document says, run kadmin.local,
> kadmin.local is a version of the kadmin tool that works only on the
> local system.
> If you are not on the local system you use the 'kadmin' tool.
I get
root# kadmin
Authenticating as principal wmodes/admin at CATS.UCSC.EDU with password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface
>> to generate a principle, that
>> is not available to me. If I can ask specifically for what I want, I
>> might be able to convince the kerberos administrators to do it for me,
>> but I have to be pretty specific about what I want.
> You have to explain what you want in this forum as well, otherwise you
> won't get
> very many useful answers.
>>
>> The docs I'm referring to are
>>
>> Cyrus SASL for System Administrators
>> http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
>> <http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html>
>>
>> OpenLDAP 2.2 Administrator's Guide - Using SASL
>> http://www.openldap.org/doc/admin22/guide.html#Using%20SASL
>>
>>
>> Thank you for the OpenLDAP config suggestions. Those are more or less
>> consistent with what I read.
>> However, in several documents, it was suggested that before you try
>> connecting OpenLDAP to Kerberos that you test to make sure your Kerberos
>> configuration is working.
> Again the question is connecting OpenLDAP to Kerberos for what purpose?
>
> The KDC is not under your control so you do not have the ability to
> create new
> principals or alter the configurations of the existing ones.
Well I have access but only through the proxy of its system
administrators...
>
> Are you really expecting the OpenLDAP server to establish a network
> channel
> with the KDC? What messages are you expecting to have sent?
I'm hoping that where it now does an ldap-bind at the request of the SMB
server, it can instead authenticate against the KDC via GSSAPI.
>
> Or are you simply confused about the concept of a service principal
> and the
> associated key?
As I understand it, before the KDC will allow a server access, it needs
to ensure that the server is allowed that access. So it does a key
match to certify that the server is who it says it is, and checks to see
if it is a principle.
Or I may just be completely confused about everything. Which would
certainly account for some of my vagueness, for which I apologize. On
the other hand, if I understood enough to ask perfectly intelligent
questions, I suspect I might have already been able to suss out the
answer from the reams of info I've already read.
W.
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
More information about the Kerberos
mailing list