SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)
Christoph Spielmann
cspielma at gup.jku.at
Fri Dec 7 05:12:13 EST 2007
Hi everybody!
At the moment we're trying to set up a Kerberos/OpenLDAP/SASL solution
for our department.
The kerberos-part works so far. So does the main OpenLDAP-server (with
SASL/GSSAPI) but when it comes to the replication-server of OpenLDAP we
are stuck.
The versions of heimdal, openldap and cyrus-sasl we're using on our
slave-server are:
emerge -pv heimdal openldap cyrus-sasl
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] app-crypt/heimdal-1.0.1-r1 USE="berkdb ipv6 ldap ssl
-X" 0 kB [1]
[ebuild R ] net-nds/openldap-2.3.39-r1 USE="berkdb crypt ipv6
kerberos perl readline sasl ssl tcpd -debug -gdbm -minimal -odbc
-overlays -samba (-selinux) -slp -smbkrb5passwd" 0 kB
[ebuild R ] dev-libs/cyrus-sasl-2.1.22-r2 USE="berkdb crypt java
kerberos ldap pam ssl -authdaemond -gdbm -mysql -ntlm_unsupported_patch
-postgres -sample -srp -urandom" 0 kB
The versions used on the master-server are:
emerge -pv heimdal openldap cyrus-sasl
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] app-crypt/heimdal-0.7.2-r3 USE="berkdb ipv6 ldap ssl -X
(-krb4%)" 0 kB
[ebuild U ] net-nds/openldap-2.3.38 [2.3.35-r1] USE="berkdb crypt
ipv6 kerberos readline samba sasl smbkrb5passwd ssl tcpd -debug -gdbm
-minimal -odbc -overlays -perl* (-selinux) -slp" 3,714 kB
[ebuild R ] dev-libs/cyrus-sasl-2.1.22-r2 USE="authdaemond berkdb
crypt kerberos ldap mysql pam ssl -gdbm -java -ntlm_unsupported_patch
-postgres -sample -srp -urandom" 0 kB
This is the slapd.conf of our replica-server:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Created: 2007-01-16 by rhopfer
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema
include /etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Set to -1 for full logging
loglevel -1
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=256 simple_bind=128
# TODO: hoehere sicherheit, zur zeit fehler beim schreiben
#security simple_bind=128 update_ssf=56
#sasl-secprops noanonymous,noplain,minssf=128
#disallow bind_simple_unprotected
# Mapping of SASL authentication identities to LDAP entries
#
# uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
# Since 2.3 sasl-regexp -> authz-regexp
#authz-regexp
# uid=nssproxy,cn=(.*),cn=gssapi,cn=auth
# ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??one?(cn=nssproxy)
#authz-regexp
# uid=(.+),cn=.+,cn=.+,cn=auth
#
ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?(|(uid=$1)(krb5PrincipalName=$1 at GUP.UNI-LINZ.AC.AT))
# uid=<username>,cn=<mechanism>,cn=auth
#authz-regexp
# uid=(.+)/.+\.gup.uni-linz.ac.at,cn=.+,cn=auth
# ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?uid=$1
authz-regexp
uid=(.+),cn=.+,cn=auth
ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?(|(uid=$1)(krb5PrincipalName=$1 at GUP.UNI-LINZ.AC.AT))
# map root from ldapi:// to ldapmaster
authz-regexp
gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
cn=ldapmaster,dc=gup,dc=uni-linz,dc=ac,dc=at
#authz-policy any
#
# ACLs
#
# TODO: ACLs in eigene Datei auslagern
# Make sure we do reverse lookups, needed for ACL's.
#reverse-lookup on
#access to * by * read
#access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,memberUid
# by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read
# by self read
# Kerberos attributes may only be accessible to root/ldapmaster
access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5K
by sockurl.regex="^ldapi://" write
# We will be using userPassword to provide simple BIND access, so we
don't want
# krb5PrincipalName is needed so sasl-regexp/GSSAPI works correctly
access to attrs=userPassword,krb5PrincipalName
by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read
by anonymous auth
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to dn.subtree="dc=gup,dc=uni-linz,dc=ac,dc=at"
by self write
by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read
by sockurl.regex="^ldapi://" write
by users read
by anonymous auth
by * none
# SSL/TLS configuration
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/certs/server.pem
#TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSCertificateFile /etc/openldap/certs/server.pem
#TLSCertificateFile /etc/openldap/certs/slapd_cert.pem
TLSCertificateKeyFile /etc/openldap/certs/server.pem
#TLSCertificateKeyFile /etc/openldap/certs/slapd_key.pem
#TLSVerifyClient allow
#TLSVerifyClient try
# TODO: TLS ueberpruefung einschalten
# Misc. options
# Maximum number of entries to return from a search operation. Useful
# # to prevent trolling of directory by spammers, etc.
sizelimit 100
# # Maximum size of the primary thread pool.
threads 8
# Allows acceptance of LDAPv2 bind requests (required for mozilla)
allow bind_v2
# Require strong authentication
#require strong
#######################################################################
# BDB database definitions
#######################################################################
database bdb
#checkpoint 32 30 # <kbyte> <min>
suffix "dc=gup,dc=uni-linz,dc=ac,dc=at"
#rootdn "cn=manager,dc=gup,dc=uni-linz,dc=ac,dc=at"
rootdn "cn=ldapmaster,dc=gup,dc=uni-linz,dc=ac,dc=at"
#rootpw {MD5}wbG9YnECJLUSvWGc6KtSrw==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index krb5PrincipalName eq,pres
index ipHostNumber eq,pres
index macAddress eq,pres
#index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index entryCSN eq
# Required for simple bind
password-hash {CLEARTEXT}
# SASL configuration
sasl-host slave.gup.uni-linz.ac.at
sasl-realm GUP.UNI-LINZ.AC.AT
# Replication
#replogfile /var/lib/openldap-slurp/master-slapd.replog
#replica uri=ldap://pluto.gup.uni-linz.ac.at:389
# bindmethod=sasl saslmech=gssapi
# authcId=replicator at GUP.UNI-LINZ.AC.AT
updatedn uid=replicator,cn=gup.uni-linz.ac.at,cn=gssapi,cn=auth
updateref ldap://hera.gup.uni-linz.ac.at:389
For your information this is more or less the same configuration as the
main slapd with the few changes necessary for the replica-server...
testsaslauthd works but when i try to connect to the replica-server with
ldapsearch i get the following
ldapsearch -H ldap://slave.gup.uni-linz.ac.at cn=erebos
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context
the log on slave looks like this (i just post the interesting part):
...
Dec 7 10:55:01 slave slapd[5314]: do_bind
Dec 7 10:55:01 slave slapd[5314]: >>> dnPrettyNormal: <>
Dec 7 10:55:01 slave slapd[5314]: <<< dnPrettyNormal: <>, <>
Dec 7 10:55:01 slave slapd[5314]: do_sasl_bind: dn () mech GSSAPI
Dec 7 10:55:01 slave slapd[5314]: conn=2 op=1 BIND dn="" method=163
Dec 7 10:55:01 slave slapd[5314]: ==> sasl_bind: dn="" mech=GSSAPI
datalen=631
Dec 7 10:55:01 slave slapd[5314]: SASL [conn=2] Failure: GSSAPI Error:
An unsupported mechanism was requested (unknown mech-code 0 for mech
unknown)
Dec 7 10:55:01 slave slapd[5314]: send_ldap_result: conn=2 op=1 p=3
Dec 7 10:55:01 slave slapd[5314]: send_ldap_result: err=49 matched=""
text="SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context"
Dec 7 10:55:01 slave slapd[5314]: send_ldap_response: msgid=2 tag=97 err=49
Dec 7 10:55:01 slave slapd[5314]: conn=2 op=1 RESULT tag=97 err=49
text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Dec 7 10:55:01 slave slapd[5314]: <== slap_sasl_bind: rc=49
Dec 7 10:55:01 slave slapd[5314]: daemon: activity on 1 descriptor
Dec 7 10:55:01 slave slapd[5314]: daemon: activity on:
Dec 7 10:55:01 slave slapd[5314]: 11r
...
when i use simple bind (and uncomment the line access to * by * read)
everything works as expected too, so something must be wrong with sasl...
when i send the same search-query to the master-server (using the same
host as before) i get the desired results so on the client side
everything seems to be okay.
The supported mechs on slave and master are:
slave:
ldapsearch -h slave -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
master:
ldapsearch -h master -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
So the mechs-necessary seem to be installed but still i get the error
message above.
Does anybody have an idea what the problem could be? I'm out of ideas so
i would appreciate any help i could get!
Regards,
Christoph Spielmann
More information about the Cyrus-sasl
mailing list