SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)

Christoph Spielmann cspielma at gup.jku.at
Fri Dec 7 05:12:13 EST 2007


Hi everybody!

At the moment we're trying to set up a Kerberos/OpenLDAP/SASL solution
for our department.

The kerberos-part works so far. So does the main OpenLDAP-server (with
SASL/GSSAPI) but when it comes to the replication-server of OpenLDAP we
are stuck.

The versions of heimdal, openldap and cyrus-sasl we're using on our
slave-server are:

 emerge -pv heimdal openldap cyrus-sasl

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] app-crypt/heimdal-1.0.1-r1  USE="berkdb ipv6 ldap ssl
-X" 0 kB [1]
[ebuild   R   ] net-nds/openldap-2.3.39-r1  USE="berkdb crypt ipv6
kerberos perl readline sasl ssl tcpd -debug -gdbm -minimal -odbc
-overlays -samba (-selinux) -slp -smbkrb5passwd" 0 kB
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.22-r2  USE="berkdb crypt java
kerberos ldap pam ssl -authdaemond -gdbm -mysql -ntlm_unsupported_patch
-postgres -sample -srp -urandom" 0 kB

The versions used on the master-server are:

emerge -pv heimdal openldap cyrus-sasl

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] app-crypt/heimdal-0.7.2-r3  USE="berkdb ipv6 ldap ssl -X
(-krb4%)" 0 kB
[ebuild     U ] net-nds/openldap-2.3.38 [2.3.35-r1] USE="berkdb crypt
ipv6 kerberos readline samba sasl smbkrb5passwd ssl tcpd -debug -gdbm
-minimal -odbc -overlays -perl* (-selinux) -slp" 3,714 kB
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.22-r2  USE="authdaemond berkdb
crypt kerberos ldap mysql pam ssl -gdbm -java -ntlm_unsupported_patch
-postgres -sample -srp -urandom" 0 kB

This is the slapd.conf of our replica-server:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Created: 2007-01-16 by rhopfer
#

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/qmail.schema
include         /etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Set to -1 for full logging
loglevel -1

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=256 simple_bind=128
# TODO: hoehere sicherheit, zur zeit fehler beim schreiben
#security simple_bind=128 update_ssf=56

#sasl-secprops noanonymous,noplain,minssf=128
#disallow bind_simple_unprotected

# Mapping of SASL authentication identities to LDAP entries
#
# uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth

# Since 2.3 sasl-regexp -> authz-regexp
#authz-regexp
#       uid=nssproxy,cn=(.*),cn=gssapi,cn=auth
#       ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??one?(cn=nssproxy)

#authz-regexp
#       uid=(.+),cn=.+,cn=.+,cn=auth
#      
ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?(|(uid=$1)(krb5PrincipalName=$1 at GUP.UNI-LINZ.AC.AT))

# uid=<username>,cn=<mechanism>,cn=auth
#authz-regexp
#       uid=(.+)/.+\.gup.uni-linz.ac.at,cn=.+,cn=auth
#       ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?uid=$1

authz-regexp
        uid=(.+),cn=.+,cn=auth
       
ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?(|(uid=$1)(krb5PrincipalName=$1 at GUP.UNI-LINZ.AC.AT))

# map root from ldapi:// to ldapmaster
authz-regexp
        gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        cn=ldapmaster,dc=gup,dc=uni-linz,dc=ac,dc=at

#authz-policy any

#
# ACLs
#
# TODO: ACLs in eigene Datei auslagern

# Make sure we do reverse lookups, needed for ACL's.
#reverse-lookup         on

#access to * by * read

#access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,memberUid
#       by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read
#       by self read

# Kerberos attributes may only be accessible to root/ldapmaster
access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5K
        by sockurl.regex="^ldapi://" write

# We will be using userPassword to provide simple BIND access, so we
don't want
# krb5PrincipalName is needed so sasl-regexp/GSSAPI works correctly
access to attrs=userPassword,krb5PrincipalName
        by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read
        by anonymous auth

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

access to dn.subtree="dc=gup,dc=uni-linz,dc=ac,dc=at"
        by self write
        by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read
        by sockurl.regex="^ldapi://" write
        by users read
        by anonymous auth
        by * none

# SSL/TLS configuration
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
TLSCACertificateFile  /etc/openldap/certs/server.pem
#TLSCACertificateFile  /etc/openldap/certs/cacert.pem
TLSCertificateFile    /etc/openldap/certs/server.pem
#TLSCertificateFile    /etc/openldap/certs/slapd_cert.pem
TLSCertificateKeyFile /etc/openldap/certs/server.pem
#TLSCertificateKeyFile /etc/openldap/certs/slapd_key.pem
#TLSVerifyClient allow
#TLSVerifyClient try
# TODO: TLS ueberpruefung einschalten

# Misc. options
# Maximum number of entries to return from a search operation. Useful
# # to prevent trolling of directory by spammers, etc.
sizelimit   100
# # Maximum size of the primary thread pool.
threads     8
# Allows acceptance of LDAPv2 bind requests (required for mozilla)
allow bind_v2
# Require strong authentication
#require strong

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
#checkpoint     32      30 # <kbyte> <min>
suffix          "dc=gup,dc=uni-linz,dc=ac,dc=at"
#rootdn         "cn=manager,dc=gup,dc=uni-linz,dc=ac,dc=at"
rootdn          "cn=ldapmaster,dc=gup,dc=uni-linz,dc=ac,dc=at"
#rootpw         {MD5}wbG9YnECJLUSvWGc6KtSrw==

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/openldap-data

# Indices to maintain
index   objectClass                     eq,pres
index   ou,cn,mail,surname,givenname    eq,pres,sub
index   uidNumber,gidNumber,loginShell  eq,pres
index   uid,memberUid                   eq,pres,sub
index   krb5PrincipalName               eq,pres
index   ipHostNumber                    eq,pres
index   macAddress                      eq,pres
#index  sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index entryCSN eq

# Required for simple bind
password-hash {CLEARTEXT}

# SASL configuration
sasl-host   slave.gup.uni-linz.ac.at
sasl-realm  GUP.UNI-LINZ.AC.AT

# Replication
#replogfile /var/lib/openldap-slurp/master-slapd.replog
#replica uri=ldap://pluto.gup.uni-linz.ac.at:389
#        bindmethod=sasl saslmech=gssapi
#        authcId=replicator at GUP.UNI-LINZ.AC.AT

updatedn uid=replicator,cn=gup.uni-linz.ac.at,cn=gssapi,cn=auth
updateref ldap://hera.gup.uni-linz.ac.at:389

For your information this is more or less the same configuration as the
main slapd with the few changes necessary for the replica-server...

testsaslauthd works but when i try to connect to the replica-server with
ldapsearch i get the following

ldapsearch -H ldap://slave.gup.uni-linz.ac.at cn=erebos
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

the log on slave looks like this (i just post the interesting part):
...
Dec  7 10:55:01 slave slapd[5314]: do_bind
Dec  7 10:55:01 slave slapd[5314]: >>> dnPrettyNormal: <>
Dec  7 10:55:01 slave slapd[5314]: <<< dnPrettyNormal: <>, <>
Dec  7 10:55:01 slave slapd[5314]: do_sasl_bind: dn () mech GSSAPI
Dec  7 10:55:01 slave slapd[5314]: conn=2 op=1 BIND dn="" method=163
Dec  7 10:55:01 slave slapd[5314]: ==> sasl_bind: dn="" mech=GSSAPI
datalen=631
Dec  7 10:55:01 slave slapd[5314]: SASL [conn=2] Failure: GSSAPI Error: 
An unsupported mechanism was requested (unknown mech-code 0 for mech
unknown)
Dec  7 10:55:01 slave slapd[5314]: send_ldap_result: conn=2 op=1 p=3
Dec  7 10:55:01 slave slapd[5314]: send_ldap_result: err=49 matched=""
text="SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context"
Dec  7 10:55:01 slave slapd[5314]: send_ldap_response: msgid=2 tag=97 err=49
Dec  7 10:55:01 slave slapd[5314]: conn=2 op=1 RESULT tag=97 err=49
text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Dec  7 10:55:01 slave slapd[5314]: <== slap_sasl_bind: rc=49
Dec  7 10:55:01 slave slapd[5314]: daemon: activity on 1 descriptor
Dec  7 10:55:01 slave slapd[5314]: daemon: activity on:
Dec  7 10:55:01 slave slapd[5314]:  11r
...

when i use simple bind (and uncomment the line access to * by * read)
everything works as expected too, so something must be wrong with sasl...

when i send the same search-query to the master-server (using the same
host as before) i get the desired results so on the client side
everything seems to be okay.

The supported mechs on slave and master are:

slave:

ldapsearch -h slave -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5


master:

ldapsearch -h master -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

So the mechs-necessary seem to be installed but still i get the error
message above.

Does anybody have an idea what the problem could be? I'm out of ideas so
i would appreciate any help i could get!

Regards,

Christoph Spielmann


More information about the Cyrus-sasl mailing list