issue com heimdal kerberos no backend ldap

2

Estou tendo problemas em fazer com que o Kerberos (versão Heimdal) funcione bem com o OpenLDAP. O banco de dados do kerberos está sendo armazenado no próprio LDAP. O KDC usa a autenticação SASL EXTERNAL como root para acessar o container ou. Espero que este seja o conselho certo para esse tipo de pergunta.

Eu criei o banco de dados no LDAP bem usando kadmin -l , mas ele não me deixará usar o kadmin sem o sinalizador -l:

root@rds0:~# kadmin -l
kadmin> list *
krbtgt/REALM
kadmin/changepw
kadmin/admin
changepw/kerberos
kadmin/hprop
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
default
brian.empson
brian.empson/admin
host/rds0.example.net
ldap/rds0.example.net
host/localhost
kadmin> exit
root@rds0:~# kadmin
kadmin> list *
brian.empson/admin@REALM's Password:      <----- With right password
kadmin: kadm5_get_principals: Key table entry not found
kadmin> list *
brian.empson/admin@REALM's Password:       <------ With wrong password
kadmin: kadm5_get_principals: Already tried ENC-TS-info, looping
kadmin>

Eu posso conseguir ingressos sem um problema:

root@rds0:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: brian.empson@REALM

  Issued                Expires               Principal
Nov 11 14:14:40 2012  Nov 12 00:14:37 2012  krbtgt/REALM@REALM
Nov 11 14:40:35 2012  Nov 12 00:14:37 2012  ldap/rds0.example.net@REALM

Mas não consigo alterar minha própria senha sem kadmin -l :

root@rds0:~# kpasswd
brian.empson@REALM's Password:      <---- Right password
New password:
Verify password - New password:
Auth error : Authentication failed
root@rds0:~# kpasswd
brian.empson@REALM's Password:       <---- Wrong password
kpasswd: krb5_get_init_creds: Already tried ENC-TS-info, looping

Os registros do kadmin não são úteis:

2012-11-11T13:48:33 krb5_recvauth: Key table entry not found
2012-11-11T13:51:18 krb5_recvauth: Key table entry not found
2012-11-11T13:53:02 krb5_recvauth: Key table entry not found
2012-11-11T14:16:34 krb5_recvauth: Key table entry not found
2012-11-11T14:20:24 krb5_recvauth: Key table entry not found
2012-11-11T14:20:44 krb5_recvauth: Key table entry not found
2012-11-11T14:21:29 krb5_recvauth: Key table entry not found
2012-11-11T14:21:46 krb5_recvauth: Key table entry not found
2012-11-11T14:23:09 krb5_recvauth: Key table entry not found
2012-11-11T14:45:39 krb5_recvauth: Key table entry not found

O KDC informa que ambas as contas conseguem autenticar:

2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:48:03 sending 294 bytes to IPv4:192.168.72.10
2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 ENC-TS Pre-authentication succeeded -- brian.empson@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 ENC-TS pre-authentication succeeded -- brian.empson@REALM
2012-11-11T14:48:03 AS-REQ authtime: 2012-11-11T14:48:03 starttime: unset endtime: 2012-11-11T14:53:00 renew till: unset
2012-11-11T14:48:03 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 sending 704 bytes to IPv4:192.168.72.10

2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:45:39 sending 303 bytes to IPv4:192.168.72.10
2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 ENC-TS Pre-authentication succeeded -- brian.empson/admin@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 ENC-TS pre-authentication succeeded -- brian.empson/admin@REALM
2012-11-11T14:45:39 AS-REQ authtime: 2012-11-11T14:45:39 starttime: unset endtime: 2012-11-11T15:45:39 renew till: unset
2012-11-11T14:45:39 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 sending 717 bytes to IPv4:192.168.72.10

Eu gostaria de ter mensagens de registro mais detalhadas, executando kadmind no modo de depuração parece para quase funcionar, mas apenas me leva de volta ao shell quando eu digito corretamente senha.

O GSSAPI via LDAP também não funciona, mas eu suspeito que seja porque algumas partes do Kerberos não estão funcionando:

root@rds0:~# ldapsearch -Y GSSAPI -H ldaps:/// -b "o=mybase" o=mybase
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()
root@rds0:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b "o=mybase" o=mybase
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
<snip>
    
por Brian 11.11.2012 / 21:03

0 respostas