kinit failure with Kerberos and LDAP backend

Berthold Cogel cogel at uni-koeln.de
Sun Oct 21 11:48:46 EDT 2012


Am 21.10.2012 08:39, schrieb Mark Pröhl:
> Am 21.10.2012 00:21, schrieb Berthold Cogel:
>> Am 19.10.2012 20:02, schrieb Mark Pröhl:
>>> Hi,
>>>
>>> is there any difference in the output of the following two search
>>> requests?
>>>
>>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>>    -b ou=People,dc=uni-koeln,dc=de  \
>>>
>>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>>
>>>
>>>
>>>
>>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>>    -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
>>>
>>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>>
>>>
>>>
>>> Regards,
>>>
>>> Mark
>>>
>>>
>>> Am 19.10.2012 16:05, schrieb Berthold Cogel:
>>>> Hello!
>>>>
>>>> I've configured kerberos with an LDAP backend and I'm now trying to
>>>> fill
>>>> it with users.
>>>>
>>>> System: RHEL5
>>>> Kerberos: 1.6.1-70.el5 (MIT)
>>>> LDAP: openldap-ltb-2.4.28-1.el5
>>>>
>>>> Kerberos is talking to the local LDAP via LDAPI.
>>>>
>>>> The setup is working for all principals in the kerberos container. I
>>>> can
>>>> do a kinit an get a ticket...
>>>> I also did an
>>>> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE  -subtrees
>>>> ou=people,dc=uni-koeln,dc=de
>>>>
>>>> I did an ldapadd for some testusers followed by an addprinc for each
>>>> testuser. A listprincs shows the principals of these testusers.
>>>>
>>>> But when I try to do a kinit I get this:
>>>>
>>>> kinit a0537
>>>> kinit(v5): Client not found in Kerberos database while getting initial
>>>> credentials
>>>>
>>>> This happens for each principal in the ou=People.
>>>>
>>>> The ldapsearch with the first part of the krb5 request in the LDAP log
>>>> shows this:
>>>>
>>>> ldapsearch -x -ZZ -H ldap://... -D cn=... -W
>>>> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>>>
>>>>
>>>> scope=2 deref=0
>>>> Enter LDAP Password:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <> with scope subtree
>>>> # filter:
>>>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
>>>>
>>>>
>>>> # requesting: scope=2 deref=0
>>>> #
>>>>
>>>> # a0537, People, uni-koeln.de
>>>> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
>>>>
>>>> # search result
>>>> search: 3
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>>
>>>> So the principal is in the tree. The complete krb5 request in the LDAP
>>>> log looks like this:
>>>>
>>>>
>>>> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
>>>> (PATH=/var/run/ldapi)
>>>> slapd[9882]: conn=230710 op=0 BIND
>>>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
>>>> slapd[9882]: conn=230710 op=0 BIND
>>>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
>>>> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
>>>> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
>>>> scope=2 deref=0
>>>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>>>
>>>>
>>>>
>>>> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
>>>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>>>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>>>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>>>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>>>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>>>> krbExtraData krbObjectReferences
>>>> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0
>>>> text=
>>>> slapd[9882]: conn=230710 op=2 SRCH
>>>> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
>>>> deref=0
>>>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>>>
>>>>
>>>>
>>>> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
>>>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>>>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>>>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>>>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>>>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>>>> krbExtraData krbObjectReferences
>>>>
>>>>
>>>> I don't understand what is happening. And I don't know, where to look.
>>>>
>>>>
>>>> Regards
>>>>
>>>> Berthold Cogel
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>>
>>
>> What I get is this:
>>
>>
>> ldapsearch -Y EXTERNAL -H ldapi:// -b ou=People,dc=uni-koeln,dc=de
>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=People,dc=uni-koeln,dc=de> with scope subtree
>> # filter:
>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
>>
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>>
>>
>>
>> ldapsearch -Y EXTERNAL -H ldapi:// -b
>> cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de
>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope
>> subtree
>> # filter:
>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
>>
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 32 No such object
>>
>> # numResponses: 1
>>
>>
>> Regards
>>
>> Berthold
>>
> 
> sorry, i missed that MIT is not using SASL/EXTERNAL. Please try again with
> 
> root at kdc # ldapsearch -x -D <BIND_DN> -W -H ldapi:// -b
> ou=People,dc=uni-koeln,dc=de
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_1>@RRZ.UNI-KOELN.DE))'
> 
> 
> root at kdc # ldapsearch -x  -D <BIND_DN> -W  -H ldapi:// -b
> cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_2>@RRZ.UNI-KOELN.DE))'
> 
> 
> - Replace <BIND_DN> by the value of ldap_kdc_dn from your
>   kdc.conf (or krb5.conf)
> 
> - Replace <USER_1> by a kerberos principal entry that is
>   stored below ou=People
> 
> - Replace <USER_2> by a kerberos principal entry that is
>   stored below cn=RRZ.UNI KOELN.DE,ou=Kerberos
> 
> 
> Do these LDAP searches result in different attribute sets?
> 
> Regards,
> 
> Mark Pröhl
> 
> 

There are additional attributes for the ou=People.

At the moment we're still using NIS and AFS on our linux systems. I want
the LDAP to provide a NIS replacement and authenticate via AFS and/or
KRB5 so I can gradually move our systems to KRB5. AFS, KRB5 and LDAP
will be provisioned from an identity management system in the near
future and I'm trying to provide the infrastructure for our systems.


ldapsearch -x -D xxxxxx -W -H ldapi:// -b ou=People,dc=uni-koeln,dc=de
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=uni-koeln,dc=de> with scope subtree
# filter:
(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
# requesting: ALL
#

# a0537, People, uni-koeln.de
dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
uidNumber: ....
givenName: Berthold
uid: a0537
employeeType: active
sn: Cogel
gidNumber: ...
cn: Berthold Cogel
mail: a0537
homeDirectory: /afs/...
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
userPassword:: ....
krbPrincipalName: a0537 at RRZ.UNI-KOELN.DE
krbPwdPolicyReference:
cn=default,cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln
 ,dc=de
krbPrincipalKey:: ...
krbLastPwdChange: 20121019122736Z
krbExtraData:: ....

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


ldapsearch -x  -D xxxxxx -W  -H ldapi:// -b
cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=bco at RRZ.UNI-KOELN.DE))'

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope
subtree
# filter:
(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=bco at RRZ.UNI-KOELN.DE))
# requesting: ALL
#

# bco at RRZ.UNI-KOELN.DE, RRZ.UNI-KOELN.DE, Kerberos, uni-koeln.de
dn:
krbPrincipalName=bco at RRZ.UNI-KOELN.DE,cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=u
 ni-koeln,dc=de
krbPrincipalName: bco at RRZ.UNI-KOELN.DE
krbPrincipalKey:: ....
krbLastPwdChange: 20120529092551Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
krbPwdPolicyReference:
cn=default,cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln
 ,dc=de
krbExtraData:: ...
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Regards

Berthold


More information about the Kerberos mailing list