AW: testsaslauthd questions and problems
Toby.Russell at vattenfall.de
Toby.Russell at vattenfall.de
Fri Feb 10 01:37:41 EST 2006
Thank you for responding, Brane. Unfortunately there is no problem with my keytab.
After your tip I wondered if it was the absence of single des keys (I'm only generating DES3 keys), and so feverishly generated the required single DES ones, checked them with klist -keK -- made no difference, the result is the same as before.
The question that remains is this: why is kerberos seeing the action as a success, while saslauthd sees it as a failure? Here are two log entries from kdc.log. The first is the success from my early-morning kinit, the second the "failure" from saslauthd:
Feb 10 07:06:21 isuadm02 krb5kdc[14023](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.20.24.177: ISSUE: authtime 1139551581, etypes {rep=16 tkt=16 ses=16}, trussell at VATTENFALL.KRB.UNIX for krbtgt/VATTENFALL.KRB.UNIX at VATTENFALL.KRB.UNIX
Feb 10 07:07:40 isuadm02 krb5kdc[14023](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.20.24.177: ISSUE: authtime 1139551660, etypes {rep=16 tkt=16 ses=16}, trussell at VATTENFALL.KRB.UNIX for krbtgt/VATTENFALL.KRB.UNIX at VATTENFALL.KRB.UNIX
The only difference is the authtime. From testsaslauthd I get:
saslauthd[1805] :rel_accept_lock : released accept lock
saslauthd[1806] :get_accept_lock : acquired accept lock
saslauthd[1805] :do_auth : auth failure: [user=trussell] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
0: NO "authentication failed"
This is my slapd.conf:
keytab: /etc/krb5.keytab
pwcheck_method: saslauthd
mech_list: GSSAPI
log_level: 4
saslauthd_path: /var/state/saslauthd/mux # added this morning after reading Brane's mail
sasl-regexp
uid=(.*),cn=VATTENFALL.KRB.UNIX,cn=.*,cn=auth
ldap://ou=people,dc=corp,dc=vattenfall,dc=de??sub?(uid=$1)
There must be some simple explanation, but I'll be damned if I know what it is. Anyone?
Cheers
Toby
-----Ursprüngliche Nachricht-----
Von: Branko F. Gracnar [mailto:bfg at interseek.si]
Gesendet: Freitag, 10. Februar 2006 00:23
An: cyrus-sasl at lists.andrew.cmu.edu
Cc: Russell Toby (VE I-XAE)
Betreff: Re: testsaslauthd questions and problems
On Wednesday 08 February 2006 08:33, Toby.Russell at vattenfall.de wrote:
> Hello all,
>
> perhaps failure is a success, who knows... The result I get from:
>
> testsaslauthd -u trussell -p somepass -s lalala
>
> is this:
>
> saslauthd[1527] :rel_accept_lock : released accept lock
> saslauthd[1528] :get_accept_lock : acquired accept lock
> saslauthd[1527] :do_auth : auth failure: [user=trussell]
> [service=lalala] [realm=] [mech=kerberos5] [reason=saslauthd internal
> error] 0: NO "authentication failed"
You maybe don't have sufficient secret keys in your krb5.keytab.
See http://www.openldap.org/faq/data/cache/944.html for more info. It solved
the same problem for me.
Best regards, Brane
More information about the Cyrus-sasl
mailing list