<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div><div>Sounds like my F5 config is slightly different from yours. I’m not certain of the term for it, but my F5 passes the packets without inserting its own address into the packets. All my LDAP servers have the ldapserver.example.com address as a second address on their loopback interface and know that they are also ldapserver.example.com and respond back to the client directly from the ldapserver.example.com address. I’m guessing that in your setup, your AD servers do not have the ldap.test.com address on any of their interfaces and it is likely that the requests are showing up from the address of the F5 not from the actual clients and that your AD servers are answering back to the clients through the F5. I’ve never had to figure out how to make something like that work.</div><div><br></div><div><div id="MAC_OUTLOOK_SIGNATURE"><div>—</div><div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;"><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri">Frank Swasey</font></font></div><div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px;"><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri">Systems Architecture & Administration</font></font></div></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Tadashi Inayama <<a href="mailto:tci@qad.com">tci@qad.com</a>><br><span style="font-weight:bold">Date: </span> Tuesday, February 16, 2016 at 6:53 PM<br><span style="font-weight:bold">To: </span> Frank Swasey <<a href="mailto:Frank.Swasey@uvm.edu">Frank.Swasey@uvm.edu</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu">cyrus-sasl@lists.andrew.cmu.edu</a>" <<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu">cyrus-sasl@lists.andrew.cmu.edu</a>><br><span style="font-weight:bold">Subject: </span> Re: Load-balancing LDAP using GSSAPI/Kerberos/Cryus-SASL<br></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div dir="ltr">Hello,
<div><br></div><div>A little more details regarding the problem I'm seeing with ldapsearch on my openldap\kerberos\gssapi\sasl\sssd system:
<div><div><br></div><div><br></div><div>Even though I specify rdns = false on /etc/krb5.conf file, there is still a reverse lookup component to the ldap authorization. </div><div><br></div><div>So if I do not have any special entry on /etc/hosts file, then when I run ldapsearch against
<a href="http://ldap.test.com">ldap.test.com</a>, I get this failure:</div><div><br></div><div>generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)</div><div><br></div><div><br></div><div>If I manually place an entry on /etc/hosts file for the IP Address of one of the (two) domain controllers for
<a href="http://ldap.test.com">ldap.test.com</a>, the ldapsearch runs successfully half the time with </div><div><br></div><div># search result</div><div>search: 4</div><div>result: 0 Success</div><div><br></div><div># numResponses: 1</div><div> </div><div>But when the load balancer hits to second domain controller, we get this error:</div><div><br></div><div>generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)</div><div><br></div><div>Which means that SASL detects there is a middle-man (the load-balancer) mid-stream.</div></div><div><br></div><div><br></div><div>Thank you,</div><div>Tadashi</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 16, 2016 at 10:52 AM, Frank Swasey <span dir="ltr">
<<a href="mailto:Frank.Swasey@uvm.edu" target="_blank">Frank.Swasey@uvm.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><div><div>Yes, I conflated SSL and SASL in my answer. So let me clean that up…</div><div><br></div><div>So, let’s say that my F5 is load balancing based on the name <a href="http://ldapserver.example.com" target="_blank">
ldapserver.example.com</a>. In the slapd.conf file each of my real servers use, I put the statement:</div><div><br></div><div>sasl-host <a href="http://ldapserver.example.com" target="_blank">ldapserver.example.com</a></div><div><br></div><div>And in the keytab file that each OpenLDAP server uses, I have a key for ldap/ldapserver.example.com@realm</div><div><br></div><div>Now, when a GSSAPI connection comes in, OpenLDAP talks to SASL using the ldap/ldapserver.example.com@realm key and verifies that the GSSAPI package is all good. </div><div><br></div><div>I honestly do not know if AD has the equivalent of the OpenLDAP sasl-host configuration option or not.</div><span class=""><div><br></div><div><div><div>—</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><font color="#000000"><font face="Calibri">Frank Swasey</font></font></div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><font color="#000000"><font face="Calibri">Systems Architecture & Administration</font></font></div></div></div></span></div><div><br></div><span><div style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span style="font-weight:bold">From: </span>Tadashi Inayama <<a href="mailto:tci@qad.com" target="_blank">tci@qad.com</a>><br><span style="font-weight:bold">Date: </span>Tuesday, February 16, 2016 at 1:37 PM<br><span style="font-weight:bold">To: </span>Frank Swasey <<a href="mailto:Frank.Swasey@uvm.edu" target="_blank">Frank.Swasey@uvm.edu</a>><br><span style="font-weight:bold">Cc: </span>"<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu" target="_blank">cyrus-sasl@lists.andrew.cmu.edu</a>" <<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu" target="_blank">cyrus-sasl@lists.andrew.cmu.edu</a>><br><span style="font-weight:bold">Subject: </span>Re: Load-balancing LDAP using GSSAPI/Kerberos/Cryus-SASL<br></div><div><div class="h5"><div><br></div><blockquote style="BORDER-LEFT:#b5c4df 5 solid;PADDING:0 0 0 5;MARGIN:0 0 0 5"><div><div><div dir="ltr">Hello Frank,
<div><br></div><div>Thank very much you for your reply. I believe that the solution you are mentioning applies more to load-balancing services that uses ssl certs, such as https. Please correct me if I am wrong. (Or does kerberos\gssapi\sasl use SSL Cert somewhere along
the chain?)</div><div><br></div><div><br></div><div>RedHat Support referred me to this blog: </div><div><br></div><div><a href="https://ssimo.org/blog/id_019.html" target="_blank">https://ssimo.org/blog/id_019.html</a><div><br></div><div><br></div><div>In this example, the three https web servers that required kerberos authentication for access were load-balanced. </div><div><br></div><div><br></div><div>So the picture looked something more like this:</div><div><br></div><div><br></div><div><a href="http://uno.ipa.com" target="_blank">uno.ipa.com</a> <a href="http://due.ipa.com" target="_blank">due.ipa.com</a> <a href="http://tre.ipa.com" target="_blank">tre.ipa.com</a> </div><div> \ | /</div><div> \ | /</div><div> \ | /</div><div> \ | /</div><div> \ | /</div><div><br></div><div> <a href="http://all.ipa.com" target="_blank">all.ipa.com</a> (F5 Load Balancer Virtual Server) </div><div><br></div><div> |</div><div> |</div><div> |</div><div> <a href="http://linux_client.ipa.com" target="_blank">linux_client.ipa.com</a> ------ authentication request ------------> KCD (OpenLDAP/Active Directory)</div><div> <------ kerberos ticket -------------------------</div><div><br></div><div><br></div><div>In this case we can have the ssl certs use shared hostnames so we can list <a href="http://uno.ipa.com" target="_blank">
uno.ipa.com</a>, <a href="http://due.ipa.com" target="_blank">due.ipa.com</a>, and
<a href="http://tre.ipa.com" target="_blank">tre.ipa.com</a> in the <a href="http://all.ipa.com" target="_blank">
all.ipa.com</a> cert under shared name. (A wild card cert may work also.)</div><div><br></div><div>What we are attempting to do is slightly different. We are tryin to load-balance the Active Directory Domain Controllers. We can use shared name for SSL Certs, but is there a mechanism either (1) within kerberos to share the hostnames for SPN's or (2)
configure Cyrus-SASL to let us use the keytab for authentication so we can import the keys for the domain controllers into the keytab stored the linux clients.</div><div><br></div><div>Thank you,</div><div>Tadashi</div><div><br></div><div><br></div><div><br></div><div>A redundant picture:</div><div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><a href="http://dc1.test.com/" target="_blank">dc1.test.com</a> <a href="http://dc2.test.com/" target="_blank">dc2.test.com</a> (Windows Domain Controllers)</div><div style="font-size:12.8px"> \ /</div><div style="font-size:12.8px"> \ /</div><div style="font-size:12.8px"> \ /</div><div style="font-size:12.8px"> \ /</div><div style="font-size:12.8px"> <a href="http://ldap.test.com/" target="_blank">ldap.test.com</a> (virtual server on F5 LTM)</div><div style="font-size:12.8px"> |</div><div style="font-size:12.8px"> |</div><div style="font-size:12.8px"> |</div><div style="font-size:12.8px"> <a href="http://linux_client.test.com/" target="_blank">linux_client.test.com</a></div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 16, 2016 at 5:25 AM, Frank Swasey <span dir="ltr">
<<a href="mailto:Frank.Swasey@uvm.edu" target="_blank">Frank.Swasey@uvm.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><div><div>With OpenLDAP you solve this by using an ssl cert with Alternative names on each server – and you use the sasl-host parameter to tell OpenLDAP to use that common name between the various certs on the actual LDAP servers. How you duplicate that in AD is
left to the reader…</div><div><br></div><div><div><div>—</div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><font color="#000000"><font face="Calibri">Frank Swasey</font></font></div><div style="color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14px"><font color="#000000"><font face="Calibri">Systems Architecture & Administration</font></font></div></div></div></div><div><br></div><span><div style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt"><span style="font-weight:bold">From: </span>Cyrus-sasl <<a href="mailto:cyrus-sasl-bounces+frank.swasey=uvm.edu@lists.andrew.cmu.edu" target="_blank">cyrus-sasl-bounces+frank.swasey=uvm.edu@lists.andrew.cmu.edu</a>> on behalf of Tadashi Inayama via Cyrus-sasl
<<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu" target="_blank">cyrus-sasl@lists.andrew.cmu.edu</a>><br><span style="font-weight:bold">Reply-To: </span>Tadashi Inayama <<a href="mailto:tci@qad.com" target="_blank">tci@qad.com</a>><br><span style="font-weight:bold">Date: </span>Friday, February 12, 2016 at 5:10 PM<br><span style="font-weight:bold">To: </span>"<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu" target="_blank">cyrus-sasl@lists.andrew.cmu.edu</a>" <<a href="mailto:cyrus-sasl@lists.andrew.cmu.edu" target="_blank">cyrus-sasl@lists.andrew.cmu.edu</a>><br><span style="font-weight:bold">Subject: </span>Load-balancing LDAP using GSSAPI/Kerberos/Cryus-SASL<br></div><div><div><div><br></div><blockquote style="BORDER-LEFT:#b5c4df 5 solid;PADDING:0 0 0 5;MARGIN:0 0 0 5"><div><div><div dir="ltr">Hello,
<div><br></div><div>I am new to using GSSAPI/Kerberos/SASL but we got it working for authorization for LDAP queries from RHEL 5.11 and RHEL 6.7 clients against Win2k12 R2 Domain Controllers.</div><div><br></div><div>But when we try to load balance the LDAP traffic with F5 LTM (with <a href="http://dc1.test.com" target="_blank">
dc1.test.com</a> and <a href="http://dc2.test.com" target="_blank">dc2.test.com</a> as the pool members), ldapsearch via gssapi works half the time, and the other half we get an error that the message is changed mid-stream. We are guessing that Cyrus-SASL
does a reverse dns lookup of the domain controllers as a final check, and if the ip address of the domain controller does not match the hostname of the F5 Virtual Server then the error pops back as message changed mid-stream. So it work half of the time.</div><div><br></div><div>So we did some googling and came across this post:</div><div><br></div><div><a href="http://www.openldap.org/lists/openldap-software/200902/msg00019.html" target="_blank">http://www.openldap.org/lists/openldap-software/200902/msg00019.html</a><br></div><div><br></div><div>"<span style="color:rgb(0,0,0);font-family:monospace;font-size:medium">There is a work around for this at the GSSAPI layer, which is to tell the server to trust any principal that exists in the service's keytab. Unfortunately, Cyrus SASL doesn't seem to
expose a mechanism for doing this, and so the only way to do so is via a code change to the SASL library."</span></div><div><br></div><div>This post was from 2009. So is there currently a mechanism in Cyrus SASL to trust the principals whose key exists in the krb5.keytab? Or is there some established method to load balance between two MS Domain Controllers?</div><div><br></div><div>(The reason we are trying to load balance the ldap queries is so that when we perform patch or other maintenance work on the individual domain controllers, we don't break the authentication/authorization on the RHEL servers. Without load balancing, we
will need to change the authentication server entries on krb5.conf and sssd.conf in each of the RHEL servers. And we already have dns, ntp, and kerberos load-balancing using the F5, we just need to get the ldap portion completed.)</div><div><br></div><div>Thank you very much,</div><div>Tadashi</div><div><br></div><div><br></div><div><a href="http://dc1.test.com" target="_blank">dc1.test.com</a> <a href="http://dc2.test.com" target="_blank">
dc2.test.com</a> (Windows Domain Controllers)</div><div> \ /</div><div> \ /</div><div> \ /</div><div> \ /</div><div> <a href="http://ldap.test.com" target="_blank">ldap.test.com</a> (virtual server on F5 LTM)</div><div> |</div><div> |</div><div> |</div><div> <a href="http://linux_client.test.com" target="_blank">linux_client.test.com</a></div><div><br></div></div></div></div></blockquote></div></div></span></div></blockquote></div><br></div></div></div></blockquote></div></div></span></div></blockquote></div><br></div></div></div></blockquote></span></body></html>