Esta é minha primeira vez configurando o SASL e estou perdido.
Eu tenho um samba 4 como controlador AD e instalei o kerberos.
Kinin já é bem sucedido, mas o SASL não pode autenticar nada
Eu tentei definir como kerberos, e o erro é este:
root@mail:/usr/lib/sasl2# saslauthd -a kerberos5 -d
saslauthd[20269] :main : num_procs : 5
saslauthd[20269] :main : mech_option: NULL
saslauthd[20269] :main : run_path : /var/run/saslauthd
saslauthd[20269] :main : auth_mech : kerberos5
saslauthd[20269] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[20269] :detach_tty : master pid is: 0
saslauthd[20269] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[20269] :main : using process model
saslauthd[20269] :have_baby : forked child: 20270
saslauthd[20270] :get_accept_lock : acquired accept lock
saslauthd[20269] :have_baby : forked child: 20271
saslauthd[20269] :have_baby : forked child: 20272
saslauthd[20269] :have_baby : forked child: 20273
saslauthd[20270] :rel_accept_lock : released accept lock
saslauthd[20271] :get_accept_lock : acquired accept lock
saslauthd[20270] :do_auth : auth failure: [user=prd] [service=imap] [realm=innowareindonesia.co.id] [mech=kerberos5] [reason=saslauthd internal error]
quando tento usar o LDAP, o erro é este:
root@mail:/usr/lib/sasl2# saslauthd -a ldap -d
saslauthd[20275] :main : num_procs : 5
saslauthd[20275] :main : mech_option: NULL
saslauthd[20275] :main : run_path : /var/run/saslauthd
saslauthd[20275] :main : auth_mech : ldap
saslauthd[20275] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[20275] :detach_tty : master pid is: 0
saslauthd[20275] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[20275] :main : using process model
saslauthd[20275] :have_baby : forked child: 20276
saslauthd[20276] :get_accept_lock : acquired accept lock
saslauthd[20275] :have_baby : forked child: 20277
saslauthd[20275] :have_baby : forked child: 20278
saslauthd[20275] :have_baby : forked child: 20279
saslauthd[20276] :rel_accept_lock : released accept lock
saslauthd[20277] :get_accept_lock : acquired accept lock
saslauthd[20276] :do_auth : auth failure: [user=prd] [service=imap] [realm=innowareindonesia.co.id] [mech=ldap] [reason=Unknown]
saslauthd[20276] :do_request : response: NO
este é o meu /etc/saslauthd.conf
root@mail:/usr/lib/sasl2# cat /etc/saslauthd.conf
ldap_servers: ldaps://auth.innowareindonesia.co.id:636/
ldap_version: 3
ldap_auth_method: bind
ldap_search_base: cn=Users,dc=innowareindonesia,dc=co,dc=id
ldap_filter: (|(UserPrincipalName=%u)(sAMAccountName=%u))
ldap_scope: sub
isto é o resultado do meu pluginviewer
root@mail:/usr/lib/sasl2# saslpluginviewer
Installed and properly configured auxprop mechanisms are:
sasldb sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
Plugin "sasldb" , API version: 8
supports store: yes
Installed and properly configured SASL (server side) mechanisms are:
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSSAPI GSSAPI DIGEST-MD5 DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM CRAM-MD5 NTLM PLAIN LOGIN PLAIN LOGIN ANONYMOUS ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSSAPI GSSAPI DIGEST-MD5 DIGEST-MD5 CRAM-MD5 NTLM CRAM-MD5 NTLM PLAIN LOGIN PLAIN LOGIN ANONYMOUS ANONYMOUS
List of server plugins follows
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features:
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features:
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features:
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features:
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Installed and properly configured SASL (client side) mechanisms are:
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSSAPI GSSAPI DIGEST-MD5 DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM CRAM-MD5 NTLM PLAIN LOGIN PLAIN LOGIN ANONYMOUS ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSSAPI GSSAPI DIGEST-MD5 DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM CRAM-MD5 NTLM PLAIN LOGIN PLAIN LOGIN ANONYMOUS ANONYMOUS
List of client plugins follows
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded], API version: 4
SASL mechanism: EXTERNAL, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: SERVER_FIRST
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: SERVER_FIRST
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST
Alguém por favor pode ajudar? Porque eu já estou puxando meu cabelo nisso por 3 meses e prestes a quebrar meu monitor. Não sei o que está acontecendo e não sei onde encontrar nada. Sem depuração, sem log, sem rastreio, sem nada que possa falar comigo o que aconteceu, ele só disse "error" e "unknown" sem especificar qual erro orlet me sabe de onde vem esse erro, e google não me deu nada. p>
Eu quero saber o que está acontecendo e o que está errado. Como ativar o debug, como fazer o saslauthd falar comigo o que está acontecendo?
E não há tráfego enviado para fora. O tcpdump não mostra nada. Eu acho que isso é puramente configuração sasl.