Kerberos and LDAP (Some more logs)

Ronni Feldt rofe at one.com
Thu Oct 30 05:55:35 EDT 2008


Some more logs:

>From lookout (also known as ldap and kerberos)
/var/log/auth.log
Oct 30 10:29:02 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.212.93: ISSUE: authtime 1225358942, etypes {rep=16 tkt=16
ses=16}, ronni at ONE.COM for krbtgt/ONE.COM at ONE.COM

/var/log/syslog
Oct 30 10:29:02 lookout slapd[28071]: conn=93 fd=15 ACCEPT from
IP=192.168.212.93:40131 (IP=0.0.0.0:389) 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=0 BIND dn=""
method=128 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=0 RESULT tag=97 err=0
text= 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=1 SRCH
base="dc=one,dc=com" scope=2 deref=0 filter="(uid=ronni)" 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 fd=15 closed (connection
lost) 

- Ronni



On Thu, 2008-10-30 at 10:36 +0100, Ronni Feldt wrote:
> Hi,
> 
> Im still trying to get this to work.
> 
> Server: Debian Etch (3 hostnames=lookout, ldap and kerberos,
> ip=192.168.212.15)
> Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93)
> 
> I have followed the following guides:
> http://techpubs.spinlocksolutions.com/dklar/kerberos.html
> http://techpubs.spinlocksolutions.com/dklar/ldap.html
> 
> Created my own user "ronni" the same way as the user "mirko" is.
> 
> >From my workstation I can do:
> kinit ronni
> ldapsearch -x
> which both work.
> 
> ldapsearch -x gives this output:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=one,dc=com> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # one.com
> dn: dc=one,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: one.com
> dc: one
> 
> # admin, one.com
> dn: cn=admin,dc=one,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> 
> # People, one.com
> dn: ou=People,dc=one,dc=com
> ou: People
> objectClass: organizationalUnit
> 
> # Group, one.com
> dn: ou=Group,dc=one,dc=com
> ou: Group
> objectClass: organizationalUnit
> 
> # ronni, group, one.com
> dn: cn=ronni,ou=group,dc=one,dc=com
> cn: ronni
> gidNumber: 20000
> objectClass: top
> objectClass: posixGroup
> 
> # ronni, people, one.com
> dn: uid=ronni,ou=people,dc=one,dc=com
> uid: ronni
> uidNumber: 20000
> gidNumber: 20000
> cn: Ronni
> sn: Ronni
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> loginShell: /bin/bash
> homeDirectory: /home/ronni
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 7
> # numEntries: 6
> 
> 
> 
> When I try to login it does'nt work, it just returns to the login screen
> with no message.
> Login screen:
> 8.04.1 rofe tty2
> rofe login:
> 
> If I do this on lookout:
> tcpdump -i eth0.212 'tcp port 389'
> tcpdump -i eth0.212 'udp 88'
> 
> I get the following:
> 
> tcpdump 'tcp port 389'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
> bytes
> 10:29:02.699116 IP rofe.one.com.40131 > 192.168.212.15.ldap: S
> 2718092773:2718092773(0) win 5840 <mss 1460,sackOK,timestamp 14666346
> 0,nop,wscale 7>
> 10:29:02.699148 IP 192.168.212.15.ldap > rofe.one.com.40131: S
> 1225469498:1225469498(0) ack 2718092774 win 5792 <mss
> 1460,sackOK,timestamp 1404889037 14666346,nop,wscale 7>
> 10:29:02.699293 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 1 win
> 46 <nop,nop,timestamp 14666346 1404889037>
> 10:29:02.699328 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 1:15(14)
> ack 1 win 46 <nop,nop,timestamp 14666346 1404889037>
> 10:29:02.699341 IP 192.168.212.15.ldap > rofe.one.com.40131: . ack 15
> win 46 <nop,nop,timestamp 1404889037 14666346>
> 10:29:02.699994 IP 192.168.212.15.ldap > rofe.one.com.40131: P 1:15(14)
> ack 15 win 46 <nop,nop,timestamp 1404889037 14666346>
> 10:29:02.700130 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 15
> win 46 <nop,nop,timestamp 14666347 1404889037>
> 10:29:02.700207 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 15:68(53)
> ack 15 win 46 <nop,nop,timestamp 14666347 1404889037>
> 10:29:02.700515 IP 192.168.212.15.ldap > rofe.one.com.40131: P
> 15:270(255) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
> 10:29:02.700549 IP 192.168.212.15.ldap > rofe.one.com.40131: P
> 270:284(14) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
> 10:29:02.700737 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 284
> win 54 <nop,nop,timestamp 14666347 1404889038>
> 10:29:02.701674 IP rofe.one.com.40131 > 192.168.212.15.ldap: F 68:68(0)
> ack 284 win 54 <nop,nop,timestamp 14666347 1404889038>
> 10:29:02.701790 IP 192.168.212.15.ldap > rofe.one.com.40131: F
> 284:284(0) ack 69 win 46 <nop,nop,timestamp 1404889038 14666347>
> 10:29:02.702319 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 285
> win 54 <nop,nop,timestamp 14666347 1404889038>
> 
> 
> 
> tcpdump 'udp 88'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
> bytes
> 10:29:02.693809 IP rofe.one.com.50355 > 192.168.212.15.kerberos:  v5
> 10:29:02.695165 IP 192.168.212.15.kerberos > rofe.one.com.50355:  v5
> 
> 
> tail /var/log/auth.log on workstation says this:
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
> user unknown
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): authentication
> failure; logname=rofe uid=0 euid=0 tty=tty2 ruser= rhost= 
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account): could not
> identify user (from getpwnam(ronni))
> 
> 
> 
> What have I missed ?
> 
> - Ronni
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list