Kerberos and LDAP

Ronni Feldt rofe at one.com
Thu Oct 30 05:36:35 EDT 2008 

Hi,

Im still trying to get this to work.

Server: Debian Etch (3 hostnames=lookout, ldap and kerberos,
ip=192.168.212.15)
Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93)

I have followed the following guides:
http://techpubs.spinlocksolutions.com/dklar/kerberos.html
http://techpubs.spinlocksolutions.com/dklar/ldap.html

Created my own user "ronni" the same way as the user "mirko" is.

>From my workstation I can do:
kinit ronni
ldapsearch -x
which both work.

ldapsearch -x gives this output:
# extended LDIF
#
# LDAPv3
# base <dc=one,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# one.com
dn: dc=one,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: one.com
dc: one

# admin, one.com
dn: cn=admin,dc=one,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# People, one.com
dn: ou=People,dc=one,dc=com
ou: People
objectClass: organizationalUnit

# Group, one.com
dn: ou=Group,dc=one,dc=com
ou: Group
objectClass: organizationalUnit

# ronni, group, one.com
dn: cn=ronni,ou=group,dc=one,dc=com
cn: ronni
gidNumber: 20000
objectClass: top
objectClass: posixGroup

# ronni, people, one.com
dn: uid=ronni,ou=people,dc=one,dc=com
uid: ronni
uidNumber: 20000
gidNumber: 20000
cn: Ronni
sn: Ronni
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/ronni

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6



When I try to login it does'nt work, it just returns to the login screen
with no message.
Login screen:
8.04.1 rofe tty2
rofe login:

If I do this on lookout:
tcpdump -i eth0.212 'tcp port 389'
tcpdump -i eth0.212 'udp 88'

I get the following:

tcpdump 'tcp port 389'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
bytes
10:29:02.699116 IP rofe.one.com.40131 > 192.168.212.15.ldap: S
2718092773:2718092773(0) win 5840 <mss 1460,sackOK,timestamp 14666346
0,nop,wscale 7>
10:29:02.699148 IP 192.168.212.15.ldap > rofe.one.com.40131: S
1225469498:1225469498(0) ack 2718092774 win 5792 <mss
1460,sackOK,timestamp 1404889037 14666346,nop,wscale 7>
10:29:02.699293 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 1 win
46 <nop,nop,timestamp 14666346 1404889037>
10:29:02.699328 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 1:15(14)
ack 1 win 46 <nop,nop,timestamp 14666346 1404889037>
10:29:02.699341 IP 192.168.212.15.ldap > rofe.one.com.40131: . ack 15
win 46 <nop,nop,timestamp 1404889037 14666346>
10:29:02.699994 IP 192.168.212.15.ldap > rofe.one.com.40131: P 1:15(14)
ack 15 win 46 <nop,nop,timestamp 1404889037 14666346>
10:29:02.700130 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 15
win 46 <nop,nop,timestamp 14666347 1404889037>
10:29:02.700207 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 15:68(53)
ack 15 win 46 <nop,nop,timestamp 14666347 1404889037>
10:29:02.700515 IP 192.168.212.15.ldap > rofe.one.com.40131: P
15:270(255) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
10:29:02.700549 IP 192.168.212.15.ldap > rofe.one.com.40131: P
270:284(14) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
10:29:02.700737 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 284
win 54 <nop,nop,timestamp 14666347 1404889038>
10:29:02.701674 IP rofe.one.com.40131 > 192.168.212.15.ldap: F 68:68(0)
ack 284 win 54 <nop,nop,timestamp 14666347 1404889038>
10:29:02.701790 IP 192.168.212.15.ldap > rofe.one.com.40131: F
284:284(0) ack 69 win 46 <nop,nop,timestamp 1404889038 14666347>
10:29:02.702319 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 285
win 54 <nop,nop,timestamp 14666347 1404889038>



tcpdump 'udp 88'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
bytes
10:29:02.693809 IP rofe.one.com.50355 > 192.168.212.15.kerberos:  v5
10:29:02.695165 IP 192.168.212.15.kerberos > rofe.one.com.50355:  v5


tail /var/log/auth.log on workstation says this:
Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
user unknown
Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): authentication
failure; logname=rofe uid=0 euid=0 tty=tty2 ruser= rhost= 
Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account): could not
identify user (from getpwnam(ronni))



What have I missed ?

- Ronni

More information about the Kerberos mailing list