Hello Jesus <br><div class="gmail_quote"></div><div class="gmail_quote">I've written a smal tutorial about this. It was very hard... See below.</div><div class="gmail_quote"></div><div class="gmail_quote">Kind regards,</div>
<div class="gmail_quote"></div><div class="gmail_quote"></div><div class="gmail_quote">2010/1/22 Jesus Noland <span dir="ltr"><<a href="mailto:konpah23@yahoo.com">konpah23@yahoo.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<table cellspacing="0" cellpadding="0" border="0"><tbody><tr><td valign="top" style="font:inherit">Hello,<div><br></div><div>Hopefully I can get my question answered here. My problem is that I want to use testsaslauthd to guery an Active Directory server on campus with my own credentials. Is this possible from my laptop running ubuntu desktop? Using this syntax:</div>
<div><br></div><div><span style="font-family:'Times New Roman';font-size:medium"><pre>user@ubuntu-desktop:~$ testsaslauthd -u <a href="mailto:user@school.edu" target="_blank">user@school.edu</a> -p somepassword -r <a href="http://school.edu" target="_blank">school.edu</a></pre>
</span></div></td></tr></tbody></table></blockquote><div></div><div></div><div>(Be careful the lines are probably wrapped).<br><br>FreeBSD 7.2: Authentication against Windows 2003 Domain controller<br>over Kerberos5<br>=================================================================================<br>
<br><br>The following setup I use to authenticate users on a mail server<br>(Cyrus Imapd) againts Active Directory (but you can use any<br>other services too). In this case FreeBSD works as a Kerberos5 client.<br>Afterwoods I'm able to authenticate with Kerberos5,<br>
PAM and Cyrus SASL (over saslauthd -a PAM or -a Kerberos5).<br><br><br>/etc/krb5.keytab<br>================<br><br>The first step is to create a user in Active Directory (see Windows<br>domain controller) for the Unix host. krb5.keytab you need normaly<br>
only for services requests (for example from saslauthd -a kerberos5)<br><br>acsvfbsd06# ktutil -v list<br>FILE:/etc/krb5.keytab:<br><br>Vno Type Principal Date<br> 4 arcfour-hmac-md5 host/<a href="http://acsvfbsd06.acutronic.ch">acsvfbsd06.acutronic.ch</a>@<a href="http://ACUTRONIC.CH">ACUTRONIC.CH</a> 2009-09-08<br>
<br>ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No<br>such file or directory<br><br>Hint: The entries in /etc/srvtab will not be used in this case and can<br>be ignored. This only for KerberosIV.<br>
<br>To create a /etc/krb5.keytab file you have first to export it from a<br>domain controller and bind it to the above user name:<br><br>C:\Programme\Support Tools>ktpass princ<br>host/acsvfbsd06.domain.tld@DOMAIN.TLD -crypto RC4-HMAC-NT -ptype<br>
KRB5_NT_SRV_INST -mapuser acsvfbsd06 -pass password out 21.keytab<br>Targeting domain controller: acsv3k04.domain.tld<br>Using legacy password setting method<br>Successfully mapped host/acsvfbsd06.domain.tld to acsvfbsd06.<br>
WARNING: pType and account type do not match. This might cause problems.<br>Key created.<br>Output keytab to 21.keytab:<br>Keytab version: 0x502<br>keysize 76 host/acsvfbsd06.domain.tld@DOMAIN.TLD ptype 2 (KRB5_NT_SRV_INST)<br>
vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x5f92140f96a5ffbfa9fdf8fbae1ed02b)<br><br><br>Important: pytype should be KRB5_NT_SRV_INST! In any other case it<br>will not work. This is because Kerberos5 looks in this<br>file and search this type of key. If the type is wrong you get under<br>
different cirscumstance different error messages in<br><br>/var/log/auth.log:<br><br>- saslauthd -a pam<br>Sep 2 08:42:22 acsvfbsd06 saslauthd[772]: pam_krb5:<br>verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not<br>
found<br><br>- saslauthd -a kerberos5<br>Sep 2 08:42:22 acsvfbsd06 saslauthd[42062]: do_auth : auth<br>failure: [user=user][service=imap] [realm=] [mech=kerberos5]<br>[reason=krb5_verify_user_optfailed]<br><br><br>
After you create the keytab file you have to securly transfer the file<br>to the FreeBSD host. If there exists one you can import the new key in<br>/etc/krb5.keytab as following:<br><br>ktutil copy /usr/home/martin/21.keytab /etc/krb5.keytab<br>
<br>The file /etc/krb5.keytab has (after the creation) the following rights:<br><br>-rw------- 1 root wheel 86B 8 Sep 08:20 krb5.keytab<br><br><br>kinit<br>=====<br>- The settings from /etc/krb5.conf will be used.<br>
- kinit creates user owned Kerberos tickes. It's located under<br>/tmp/krb5cc_<uid>, (for example kinit root => /tmp/krb5cc_0)<br><br>You can use kinit to test the basic Kerberos mechanism on FreeBSD<br>(without parameters). Then /etc/krb5.keytab will not be used.<br>
<br><br>acsvfbsd06# klist -v<br>Credentials cache: FILE:/tmp/krb5cc_0<br> Principal: martin@DOMAIN.TLD<br> Cache version: 4<br><br>Server: krbtgt/DOMAIN.TLD@DOMAIN.TLD<br>Ticket etype: arcfour-hmac-md5, kvno 2<br>
Auth time: Sep 8 07:40:45 2009<br>End time: Sep 8 17:40:25 2009<br>Renew till: Sep 15 07:40:45 2009<br>Ticket flags: renewable, initial, pre-authenticated<br>Addresses: IPv4:192.168.x.y<br><br>Server: ldap/acsv3k04.domain.tld@DOMAIN.TLD<br>
Ticket etype: arcfour-hmac-md5, kvno 22<br>Auth time: Sep 8 07:40:45 2009<br>Start time: Sep 8 07:40:50 2009<br>End time: Sep 8 17:40:25 2009<br>Ticket flags: pre-authenticated, ok-as-delegate<br>Addresses: IPv4:192.168.x.y<br>
<br>kinit -k <username> can be used to test the keytab file. If you get no<br>message then the authentication is ok and the tickets will deleted<br>imediatly. If you get init: krb5_get_init_creds: Additional<br>pre-authentication required, then only the pre-authentication is<br>
failed (see under Windows domain controller).<br><br>ldapsearch<br>==========<br><br>Important: kinit should be executed before!<br><br>With ldapsearch you can test the ldap functionality against the domain<br>controller:<br>
<br>acsvfbsd06# ldapsearch -v -LLL -b<br>"OU=Mitgliedsserver,OU=ACH,DC=domain,DC=tld" -h acsv3k04.domain.tld<br>description<br>ldap_initialize( ldap://acsv3k04.domain.tld )<br>SASL/GSSAPI authentication started<br>
SASL username: martin@DOMAIN.TLD<br>SASL SSF: 56<br>SASL data security layer installed.<br>filter: (objectclass=*)<br>requesting: description<br>dn: OU=Mitgliedsserver,OU=ACH,DC=domain,DC=tld<br>[snip]<br><br>Important: If you use default_etypes_des in your etc/krb5.conf,<br>
ldapsearch will fail.<br><br>After the first ldapsearch query you get an additional Kerberos ticket<br>(see under kinit).<br><br><br><br>/etc/krb5.conf<br>==============<br>[libdefaults]<br> default_realm = DOMAIN.TLD<br>
<br>[realms]<br> DOMAIN.TLD= {<br> kdc = acsv3k04.domain.tld:88<br> }<br><br>[domain_realm]<br> domain.tld = DOMAIN.TLD<br> .domain.tld = DOMAIN.TLD<br> .acsv3k04.domain.tld = DOMAIN.TLD<br>
acsv3k04.domain.tld = DOMAIN.TLD<br> .acsvfbsd06.domain.tld = DOMAIN.TLD<br> acsvfbsd06.domain.tld = DOMAIN.TLD<br> acsvfbsd06 = DOMAIN.TLD<br><br><br>/etc/resolv.conf<br>================<br><br>domain domain.tld<br>
nameserver 192.168.x.y<br><br><br><br>/etc/hosts<br>==========<br><br><br>With the settings below you get no DNS overhead.<br><br>192.168.10.2 acsv3k04.domain.tld<br><br><br>Cyrus SASL<br>==========<br><br><br>First you need to compile Cyrus SASL with all authentication mechanisms:<br>
<br>acsvfbsd06# saslauthd -h<br>usage: saslauthd [options]<br><br>option information:<br> -a <authmech> Selects the authentication mechanism to use.<br> -c Enable credential caching.<br> -d Debugging (don't detach from tty, implies -V)<br>
-r Combine the realm with the login before passing to<br>authentication mechanism<br> Ex. login: "foo" realm: "bar" will get passed as<br>login: "foo@bar"<br> The realm name is passed untouched.<br>
-O <option> Optional argument to pass to the authentication<br> mechanism.<br> -l Disable accept() locking. Increases performance, but<br> may not be compatible with some operating systems.<br>
-m <path> Alternate path for the saslauthd working directory,<br> must be absolute.<br> -n <procs> Number of worker processes to create.<br> -s <kilobytes> Size of the credential cache (in kilobytes)<br>
-t <seconds> Timeout for items in the credential cache (in seconds)<br> -v Display version information and available mechs<br> -V Enable verbose logging<br> -h Display this message.<br>
<br>saslauthd 2.1.23<br>authentication mechanisms: sasldb getpwent kerberos5 pam rimap ldap<br><br>saslauthd you start in /etc/rc.conf with -a pam or -a kerberos5<br><br><br>PAM<br>===<br><br>In my setup I use PAM for central authentication. If you use Cyrus<br>
SASL/Imapd you need the service name "imap". So the<br>correspondend file in /etc/pam.d should have the name imap.<br><br>/etc/pam.d/imap:<br>auth required pam_krb5.so try_first_pass no_user_check<br>
account required pam_krb5.so<br>password required pam_krb5.so<br>session required pam_krb5.so<br><br><br>pam_krb5.so:<br>Hint: pam_krb5.so do not check the fields Vno and encryption<br>
(arcfour-hmac-md5) from the keytab file (see the source code in<br>/usr/src/lib/libpam/modules/pam_krb5).<br><br>pam_krb5.so looks for a principal<br>host/acsvfbsd06.domain.tld@DOMAIN.TLD with the type KRB5_NT_SRV_INST<br>
(see krb5.keytab/ktpass)<br><br>In the actual version of /usr/src/lib/libpam/modules/pam_krb5 there is<br>a long outstanding bug (see PR<br><a href="http://www.freebsd.org/cgi/query-pr.cgi?pr=76678&cat=">http://www.freebsd.org/cgi/query-pr.cgi?pr=76678&cat=</a>). The problem is<br>
the authentication is only successfully if the authenticated user is<br>also in the local FreeBSD passwd file. To change this you have to<br>apply the patch below an set the option no_user_check in<br>/etc/pam.d/imap (see PAM).<br>
<br>Patch:<br>--- pam_krb5.c.orig Tue Feb 10 10:13:20 2004<br>+++ pam_krb5.c Sun Jan 9 23:58:36 2005<br>@@ -89,6 +89,7 @@<br> #define PAM_OPT_FORWARDABLE "forwardable"<br> #define PAM_OPT_NO_CCACHE "no_ccache"<br>
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"<br>+#define PAM_OPT_NO_USER_CHECK "no_user_check"<br> /*<br> * authentication management<br>@@ -213,11 +214,13 @@<br> PAM_LOG("PAM_USER Redone");<br>
}<br>- pwd = getpwnam(user);<br>- if (pwd == NULL) {<br>- retval = PAM_USER_UNKNOWN;<br>- goto cleanup2;<br>- }<br>+ if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {<br>
+ pwd = getpwnam(user);<br>+ if (pwd == NULL) {<br>+ retval = PAM_USER_UNKNOWN;<br>+ goto cleanup2;<br>+ }<br>+ }<br> PAM_LOG("Done getpwnam()");<br>
<br><br><br><br><br>Windows domain controller<br>=========================<br><br>As a directory you can use the following article:<br>- <a href="http://technet.microsoft.com/en-us/library/bb742433.aspx">http://technet.microsoft.com/en-us/library/bb742433.aspx</a><br>
(Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability )<br>- Windows Security and Directory Services for UNIX v1.0 (onlsy<br>available on <a href="http://download.microsoft.com">download.microsoft.com</a>).<br><br>
As a first step you should create a user which has the same name as<br>your FreeBSD host. This user name you need in combination with ktpass<br>(see krb5.keytab). Additional your FreeBSD host should be resolvable<br>by DNS with PTR and A record.<br>
<br>Do not use the Support tools from Windows 2000, because ktpass has not<br>the same options (for example encryption).<br><br>If you see error messages in the Eventlog (Security) on your domain<br>controller like:<br><br>
(sorry only in german available)<br><br>Ereignistyp: Fehlerüberw.<br>Ereignisquelle: Security<br>Ereigniskategorie: Kontoanmeldung<br>Ereigniskennung: 675<br>Datum: 08.09.2009<br>Zeit: 08:22:00<br>
Benutzer: NT-AUTORITÄT\SYSTEM<br>Computer: ACSV3K04<br>Beschreibung:<br>Fehlgeschlagene Vorbestätigung:<br> Benutzername: martin<br> Benutzerkennung: ACH\martin<br> Dienstname: krbtgt/DOMAIN.TLD<br>
Vorauthentifizierungstyp: 0x0<br> Fehlercode: 0x19<br> Clientadresse: 192.168.20.5<br><br>... then the user name is successfully authenticated. The error shows<br>only the pre-authentication is failed see:<br>
<br><a href="http://support.microsoft.com/kb/230476/en-us">http://support.microsoft.com/kb/230476/en-us</a>:<br><br>0x19 (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"<br>The client did not send pre-authorization, or did not send the<br>
appropriate type of pre-authorization, to receive a ticket.<br>The client will retry with the appropriate kind of pre-authorization<br>(the KDC returns the pre-authentication type in the<br>error). Many Kerberos implementations will start off without<br>
preauthenticated data and only add it in a subsequent request<br>when it sees this error. In this case, this error can safely be ignored.<br><br><br><br>Firewall<br>========<br>You need the following ports: 88 (for Kerberos), 53 (for DNS) and 389<br>
(for ldap).<br><br><br>DNS<br>===<br>Therewith you have no DNS resolve problems it is a good idea to use a<br>domain DNS server in /etc/resolv.conf.<br><br>You need also this DNS record:<br>_kerberos IN TXT DOMAINT.TLD<br>
<br><br>Links<br>=====<br><br>- Kerberos: <a href="http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html">http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html</a><br>- PAM: <a href="http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html">http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html</a><br>
- Principal/ktpass: <a href="http://www.grolmsnet.de/kerbtut/">http://www.grolmsnet.de/kerbtut/</a><br> </div></div><br clear="all"><br>-- <br>Martin Schweizer<br><a href="mailto:schweizer.martin@gmail.com">schweizer.martin@gmail.com</a><br>
Tel.: +41 32 512 48 54 (VoIP)<br>Fax: +1 619 3300587<br>