Questions on openldap and kerberos....

John Tobin jtobin at po-box.esu.edu
Fri Jan 4 16:31:07 EST 2013 

Dear Kerveros,

Please inform me if this is inappropriate for the kerberos forum,
I understand this is probably a user bug...
I have looked under a number of different pieces of documentation,
I am probably looking in the wrong places.
Assistance is requested from those who may be able to provide guidance.
I may even try to document my efforts if that will make it reasonable for
rookies [like me!]
Sorry for the length.

I have installed kerberos 1.10.2 from suse 12.2.
I have installed openldap 2.22.2 from suse 12.2 also.
I am assuming that there are a few people who have this working.

I have followed the Chapter 6 of the suse admin guide:³Network
authentication with Kerberos² from
http://doc.opensuse.org/documentation/html/opensuse121.....:
And followed the directions from 6.4.11. Using Ldap and Kerberos
This set of directions creates the  principal:
Ldap/ldap.dark1.net,
And tells me to add this entry to the keytab:
kadmin: ktadd ldap/ldap.dark1.net

Then goes over options for making the keytab readable by ldap [group], which
I did.

The suse documentation has been my guide to get kerberos working, and that
has been successful.

I can login with a kerberos id using ssh, as well as login with a standard
id, so I assume kerberos is working.

A standard ldapsearch ­x ­b for a known id works [the ­x allows ldapsearch
to work without sasl ­ so without kerberos],
A [I assume kerberos] ldapsearch ­b Œdc=dark1,dc=net¹... Does not, see the
errors in the case doc.

Below I have a quick outline of the case :
current status of tasks for kerberos and ldap,
the 2 queries,
Kdc.conf
krb5.conf
Ldap.conf [client]

Assistance would be appreciated.

Sincerely, 
tob

kerberos1:/etc/init.d # ps -ef| grep kadmi
root      8874     1  0 11:40 ?        00:00:00 /usr/lib/mit/sbin/kadmind
root      9785  3408  0 15:32 pts/0    00:00:00 grep --color=auto kadmi
kerberos1:/etc/init.d # ps -ef|grep krb
jctobin   2852  2566  0 08:35 ?        00:00:02 /usr/bin/krb5-auth-dialog
root      8884     1  0 11:40 ?        00:00:00 /usr/lib/mit/sbin/krb5kdc
root      9787  3408  0 15:32 pts/0    00:00:00 grep --color=auto krb
kerberos1:/etc/init.d # ps -ef |grep slap
root      8472     1  0 11:12 ?        00:00:00 /usr/lib/openldap/slapd -h
ldap:///  ldapi:/// -F /etc/openldap/slapd.d -o slp=on
root      9789  3408  0 15:32 pts/0    00:00:00 grep --color=auto slap


$$$$$


kerberos1:~ # ldapsearch -x  -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
'(uid=jtobin)' 
# extended LDIF
#
# LDAPv3
# base <dc=dark1,dc=net> with scope subtree
# filter: (uid=jtobin)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


$$$$$


kerberos1:~ # ldapsearch -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
'(uid=jtobin)' 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_0' not found)


$$$$


kerberos1:/var/lib/kerberos/krb5kdc # cat kdc.conf
[kdcdefaults]
        kdc_ports = 750,88

[realms]
        DARK1.NET = {
                database_name = /var/lib/kerberos/krb5kdc/principal
                admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
                acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
                dict_file = /var/lib/kerberos/krb5kdc/kadm5.dict
                key_stash_file = /var/lib/kerberos/krb5kdc/.k5.DARK1.NET
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
        }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
kerberos1:/var/lib/kerberos/krb5kdc #

$$$$$

kerberos1:/etc # cat krb5.conf
[libdefaults]
        default_realm = DARK1.NET
        clockskew = 600

[realms]
DARK1.NET = {
        kdc = kerberos1.dark1.net
        default_domain = dark1.net
        admin_server = kerberos1.dark1.net
}

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = true
        minimum_uid = 1
        clockskew = 600
        external = sshd
        use_shmem = sshd
        debug = true
        initial_prompt = true
        validate = true
}

# [domain_realm]
        .dark1.net = DARK1.NET
kerberos1:/etc # 

$$$$$




kerberos1:~ # cat /etc/ldap.conf

# The distinguished name of the search base.
base    dc=dark1,dc=net

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri     ldap://kerberos1.dark1.net
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version    3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com

# The port.
# Optional: default is 389.
port    389

# The search scope.

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
bind_policy     soft

# Connection policy:
#  persist:   DSA connections are kept open (default)
#  oneshot:   DSA connections destroyed after request
#nss_connect_policy persist

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Use paged rseults
#nss_paged_results yes

# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server). Make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy       yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
pam_password    clear

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your
password.

# Use backlinks for answering initgroups()
#nss_initgroups backlink

# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated)
nss_initgroups_ignoreusers      root,ldap

# Enable support for RFC2307bis (distinguished names in group
# members)
nss_schema      rfc2307bis

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=example,dc=com?one
#nss_base_shadow        ou=People,dc=example,dc=com?one
#nss_base_group         ou=Group,dc=example,dc=com?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
nss_map_attribute       uniqueMember uniqueMember
pam_filter      objectClass=posixAccount
tls_cacertdir   /etc/openldap/certs
tls_cacertfile  /etc/openldap/certs/cacert.pem
ssl     start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
kerberos1:~ #

More information about the Kerberos mailing list