Fwd: SASL LDAP authentication

Martin Schweizer schweizer.martin at gmail.com
Tue Nov 17 07:30:56 EST 2009


Hello Lars

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I've read you use cyrus IMAPd and Win AD as krb5 auth.
Is there any documentation out there on howto set this up?
We want to try that, to.

MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksCZ2oACgkQmWhuE0qbFyNn5QCdGAF7Rt0e1GAWwgtvIijN0vbl
VSQAn2UqBbUOGMoGPGNA89NzzDrhXrf8
=Vxhl
-----END PGP SIGNATURE-----


Attached you'll find a smart tutorial which I wrote based on my
expirience. Hope it helps. Any hints are welcome.

Regards,

(Be careful the lines are probably wrapped).

FreeBSD 7.2: Authentication against Windows 2003 Domain controller
over Kerberos5
=================================================================================


The following setup I use to authenticate users on a mail server
(Cyrus Imapd) againts Active Directory (but you can use any
other services too). In this case FreeBSD works as a Kerberos5 client.
Afterwoods I'm able to authenticate with Kerberos5,
PAM and Cyrus SASL (over saslauthd -a PAM or -a Kerberos5).


/etc/krb5.keytab
================

The first step is to create a user in Active Directory (see Windows
domain controller) for the Unix host. krb5.keytab you need normaly
only for services requests (for example from saslauthd -a kerberos5)

acsvfbsd06# ktutil -v list
FILE:/etc/krb5.keytab:

Vno  Type              Principal                                  Date
 4  arcfour-hmac-md5  host/acsvfbsd06.acutronic.ch at ACUTRONIC.CH  2009-09-08

ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No
such file or directory

Hint: The entries in /etc/srvtab will not be used in this case and can
be ignored. This only for KerberosIV.

To create a /etc/krb5.keytab file you have first to export it from a
domain controller and bind it to the above user name:

C:\Programme\Support Tools>ktpass princ
host/acsvfbsd06.domain.tld at DOMAIN.TLD -crypto RC4-HMAC-NT -ptype
KRB5_NT_SRV_INST -mapuser acsvfbsd06 -pass password out 21.keytab
Targeting domain controller: acsv3k04.domain.tld
Using legacy password setting method
Successfully mapped host/acsvfbsd06.domain.tld to acsvfbsd06.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to 21.keytab:
Keytab version: 0x502
keysize 76 host/acsvfbsd06.domain.tld at DOMAIN.TLD ptype 2 (KRB5_NT_SRV_INST)
vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x5f92140f96a5ffbfa9fdf8fbae1ed02b)


Important: pytype should be KRB5_NT_SRV_INST! In any other case it
will not work. This is because Kerberos5 looks in this
file and search this type of key. If the type is wrong you get under
different cirscumstance different error messages in

/var/log/auth.log:

- saslauthd -a pam
Sep  2 08:42:22 acsvfbsd06 saslauthd[772]: pam_krb5:
verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not
found

- saslauthd -a kerberos5
Sep  2 08:42:22 acsvfbsd06 saslauthd[42062]: do_auth         : auth
failure: [user=user][service=imap] [realm=] [mech=kerberos5]
[reason=krb5_verify_user_optfailed]


After you create the keytab file you have to securly transfer the file
to the FreeBSD host. If there exists one you can import the new key in
/etc/krb5.keytab as following:

ktutil copy /usr/home/martin/21.keytab /etc/krb5.keytab

The file /etc/krb5.keytab has (after the creation) the following rights:

-rw-------  1 root  wheel    86B  8 Sep 08:20 krb5.keytab


kinit
=====
- The settings from /etc/krb5.conf will be used.
- kinit creates user owned Kerberos tickes. It's located under
/tmp/krb5cc_<uid>, (for example kinit root => /tmp/krb5cc_0)

You can use kinit to test the basic Kerberos mechanism on FreeBSD
(without parameters). Then /etc/krb5.keytab will not be used.


acsvfbsd06# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: martin at DOMAIN.TLD
   Cache version: 4

Server: krbtgt/DOMAIN.TLD at DOMAIN.TLD
Ticket etype: arcfour-hmac-md5, kvno 2
Auth time:  Sep  8 07:40:45 2009
End time:   Sep  8 17:40:25 2009
Renew till: Sep 15 07:40:45 2009
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:192.168.x.y

Server: ldap/acsv3k04.domain.tld at DOMAIN.TLD
Ticket etype: arcfour-hmac-md5, kvno 22
Auth time:  Sep  8 07:40:45 2009
Start time: Sep  8 07:40:50 2009
End time:   Sep  8 17:40:25 2009
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:192.168.x.y

kinit -k <username> can be used to test the keytab file. If you get no
message then the authentication is ok and the tickets will deleted
imediatly. If you get init: krb5_get_init_creds: Additional
pre-authentication required, then only the pre-authentication is
failed (see under Windows domain controller).

ldapsearch
==========

Important: kinit should be executed before!

With ldapsearch you can test the ldap functionality against the domain
controller:

acsvfbsd06# ldapsearch -v -LLL -b
"OU=Mitgliedsserver,OU=ACH,DC=domain,DC=tld" -h acsv3k04.domain.tld
description
ldap_initialize( ldap://acsv3k04.domain.tld )
SASL/GSSAPI authentication started
SASL username: martin at DOMAIN.TLD
SASL SSF: 56
SASL data security layer installed.
filter: (objectclass=*)
requesting: description
dn: OU=Mitgliedsserver,OU=ACH,DC=domain,DC=tld
[snip]

Important: If you use default_etypes_des in your etc/krb5.conf,
ldapsearch will fail.

After the first ldapsearch query you get an additional Kerberos ticket
(see under kinit).



/etc/krb5.conf
==============
[libdefaults]
       default_realm = DOMAIN.TLD

[realms]
   DOMAIN.TLD= {
       kdc = acsv3k04.domain.tld:88
       }

[domain_realm]
       domain.tld = DOMAIN.TLD
       .domain.tld = DOMAIN.TLD
       .acsv3k04.domain.tld = DOMAIN.TLD
       acsv3k04.domain.tld = DOMAIN.TLD
       .acsvfbsd06.domain.tld = DOMAIN.TLD
       acsvfbsd06.domain.tld = DOMAIN.TLD
       acsvfbsd06 = DOMAIN.TLD


/etc/resolv.conf
================

domain domain.tld
nameserver 192.168.x.y



/etc/hosts
==========


With the settings below you get no DNS overhead.

192.168.10.2    acsv3k04.domain.tld


Cyrus SASL
==========


First you need to compile Cyrus SASL with all authentication mechanisms:

acsvfbsd06# saslauthd -h
usage: saslauthd [options]

option information:
 -a <authmech>  Selects the authentication mechanism to use.
 -c             Enable credential caching.
 -d             Debugging (don't detach from tty, implies -V)
 -r             Combine the realm with the login before passing to
authentication mechanism
                Ex. login: "foo" realm: "bar" will get passed as
login: "foo at bar"
                The realm name is passed untouched.
 -O <option>    Optional argument to pass to the authentication
                mechanism.
 -l             Disable accept() locking. Increases performance, but
                may not be compatible with some operating systems.
 -m <path>      Alternate path for the saslauthd working directory,
                must be absolute.
 -n <procs>     Number of worker processes to create.
 -s <kilobytes> Size of the credential cache (in kilobytes)
 -t <seconds>   Timeout for items in the credential cache (in seconds)
 -v             Display version information and available mechs
 -V             Enable verbose logging
 -h             Display this message.

saslauthd 2.1.23
authentication mechanisms: sasldb getpwent kerberos5 pam rimap ldap

saslauthd  you start in /etc/rc.conf with -a pam or -a kerberos5


PAM
===

In my setup I use PAM for central authentication. If you use Cyrus
SASL/Imapd you need the service name "imap". So the
correspondend file in /etc/pam.d should have the name imap.

/etc/pam.d/imap:
auth            required       pam_krb5.so  try_first_pass no_user_check
account         required       pam_krb5.so
password        required       pam_krb5.so
session         required       pam_krb5.so


pam_krb5.so:
Hint: pam_krb5.so do not check the fields Vno and encryption
(arcfour-hmac-md5) from the keytab file (see the source code in
/usr/src/lib/libpam/modules/pam_krb5).

pam_krb5.so looks for a principal
host/acsvfbsd06.domain.tld at DOMAIN.TLD with the type KRB5_NT_SRV_INST
(see krb5.keytab/ktpass)

In the actual version of /usr/src/lib/libpam/modules/pam_krb5 there is
a long outstanding bug (see PR
http://www.freebsd.org/cgi/query-pr.cgi?pr=76678&cat=). The problem is
the authentication is only successfully if the authenticated user is
also in the local FreeBSD passwd file. To change this you have to
apply the patch below an set the option no_user_check in
/etc/pam.d/imap (see PAM).

Patch:
--- pam_krb5.c.orig      Tue Feb 10 10:13:20 2004
+++ pam_krb5.c   Sun Jan  9 23:58:36 2005
@@ -89,6 +89,7 @@
 #define PAM_OPT_FORWARDABLE     "forwardable"
 #define PAM_OPT_NO_CCACHE       "no_ccache"
 #define PAM_OPT_REUSE_CCACHE    "reuse_ccache"
+#define PAM_OPT_NO_USER_CHECK   "no_user_check"
 /*
 * authentication management
@@ -213,11 +214,13 @@
                PAM_LOG("PAM_USER Redone");
        }
-        pwd = getpwnam(user);
-        if (pwd == NULL) {
-                retval = PAM_USER_UNKNOWN;
-                goto cleanup2;
-        }
+        if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+                pwd = getpwnam(user);
+                if (pwd == NULL) {
+                        retval = PAM_USER_UNKNOWN;
+                        goto cleanup2;
+                }
+        }
        PAM_LOG("Done getpwnam()");





Windows domain controller
=========================

As a directory you can use the following article:
- http://technet.microsoft.com/en-us/library/bb742433.aspx
(Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability )
- Windows Security and Directory Services for UNIX v1.0 (onlsy
available on download.microsoft.com).

As a first step you should create a user which has the same name as
your FreeBSD host. This user name you need in combination with ktpass
(see krb5.keytab). Additional your FreeBSD host should be resolvable
by DNS with PTR and A record.

Do not use the Support tools from Windows 2000, because ktpass has not
the same options (for example encryption).

If you see error messages in the Eventlog (Security) on your domain
controller like:

(sorry only in german available)

Ereignistyp:    Fehlerüberw.
Ereignisquelle: Security
Ereigniskategorie:      Kontoanmeldung
Ereigniskennung:        675
Datum:          08.09.2009
Zeit:           08:22:00
Benutzer:               NT-AUTORITÄT\SYSTEM
Computer:       ACSV3K04
Beschreibung:
Fehlgeschlagene Vorbestätigung:
       Benutzername:   martin
       Benutzerkennung:                ACH\martin
       Dienstname:     krbtgt/DOMAIN.TLD
       Vorauthentifizierungstyp:       0x0
       Fehlercode:     0x19
       Clientadresse:  192.168.20.5

... then the user name is successfully authenticated. The error shows
only the pre-authentication is failed see:

http://support.microsoft.com/kb/230476/en-us:

0x19 (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"
The client did not send pre-authorization, or did not send the
appropriate type of pre-authorization, to receive a ticket.
The client will retry with the appropriate kind of pre-authorization
(the KDC returns the pre-authentication type in the
error). Many Kerberos implementations will start off without
preauthenticated data and only add it in a subsequent request
when it sees this error. In this case, this error can safely be ignored.



Firewall
========
You need the following ports: 88 (for Kerberos), 53 (for DNS) and 389
(for ldap).


DNS
===
Therewith you have no DNS resolve problems it is a good idea to use a
domain DNS server in /etc/resolv.conf.

You need also this DNS record:
_kerberos           IN  TXT     DOMAINT.TLD


Links
=====

- Kerberos: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html
- PAM: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html
- Principal/ktpass: http://www.grolmsnet.de/kerbtut/

-- 
Martin Schweizer
schweizer.martin at gmail.com
Tel.: +41 32 512 48 54 (VoIP)
Fax: +1 619 3300587


More information about the Cyrus-sasl mailing list