Separating the realm with GSSAPI and Kerberos
Brian Candler
B.Candler at pobox.com
Fri Dec 31 08:36:15 EST 2010
I raised an issue in OpenLDAP (ITS#6757), and they suggested I bring it up
here. I'm able to replicate the behaviour in question with sample-server
and sample-client, so it's not OpenLDAP-specific, but it may just be a
misunderstanding about how the SASL API is supposed to be used.
The problem is when Kerberos cross-realm authentication is taking place.
Rather than splitting the username and realm, the server sees the full
Kerberos principal in 'Username', and the 'Realm' is empty.
In my test rig, the server is in realm WS.NSRC.ORG. The client is in a
different realm, REALM3.WS.NSRC.ORG. Cross-realm trust is working happily.
Here is what I see on the sample-server:
...
Negotiation complete
Username: student at REALM3.WS.NSRC.ORG
Realm: (NULL)
SSF: 56
...
What I want to know is, is this behaviour expected?
The OpenLDAP people are expecting Cyrus SASL to put the Kerberos realm into
the 'Realm', and this means that the authorization DN for SASL clients is
not how they document it.
I do notice one difference in the code:
Cyrus's sample-server uses sasl_getprop(...SASL_DEFUSERREALM...)
whereas OpenLDAP uses sasl_getprop(...SASL_REALM...)
Strangely, I can't find SASL_REALM defined anywhere (either in the openldap
source, or under /usr/include/sasl). If SASL_REALM is 3, the same as
SASL_DEFUSERREALM, then it might be clearer that this actually the default
realm and not the client's realm.
Anyway, the full logs from sample-client and sample-server are attached.
This is not a production network, so please feel free to decode whatever you
like out of the base64 :-)
Platform:
Ubuntu 10.04.1 (i686)
libsasl2-dev 2.1.23.dfsg1-5ubuntu1
libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1
libkrb5-3 1.8.1+dfsg-2ubuntu0.4
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.4
Thanks,
Brian Candler.
-------------- next part --------------
Script started on Fri 31 Dec 2010 13:06:18 UTC
]0;root at pc3: ~root at pc3:~# ./sample-client -s host -n noc.ws.nsrc.org
service=host
Waiting for mechanism list from server...
S: R1NTQVBJ
received 6 byte message
Choosing best mechanism from: GSSAPI
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAmcGCSqGSIb3EgECAgEAboICVjCCAlKgAwIBBaEDAgEOogcDBQAgAAAAo4IBYWGCAV0wggFZoAMCAQWhDRsLV1MuTlNSQy5PUkeiIjAgoAMCAQOhGTAXGwRob3N0Gw9ub2Mud3MubnNyYy5vcmejggEdMIIBGaADAgESoQMCAQKiggELBIIBB1bdtb0wvuEFzgEYHcOe3xsCy/g07eF/aYsJKuAa5GpEZimVnXCckJzbH3XphDKKVYYxb6FD5mHZ4D29vKEwXO4mbYqyoYr2ubfE447Eury06WoStHnPLVFk/UZ9HHGg1SmFwo6xsmGiTNHg6AM1ea/x4TBoPt1/IwmCQ8Iy1KlvUbJz6+UwmRRCJboRH22qrkZhfPkxrFQSV+J+Lc7J//5bf5CUu90MiSEc0tRzWVdmBjHOqagw1d7F+puFcK/a8WPiz7kc9eakW8DCu/IQn/YWCcmjqDgxQtsiJM+Y4mpyuyzJ6/7sxxJnXHxKhVm+hDIU7p88ITi7ghl67B0ngBpX888Hz9ydpIHXMIHUoAMCARKigcwEgckYt7u5JbQR++WfeWOCdVR+MyLTVBUaADUocUsQfUghIGHvAqyXpvhAHtmBhyw53Lj4Tg9/uAlvez7UtfuSqk367bPxZZ0wpO3TgtG3Qumi7Me41JkCmgGtAYTbT7UX2fM9PlFOss7GKTteCYpR5IR9j1oYKAKFgpVFRN3JU3Cti0TbOAwp/OMO3MKpIEBg6FOh3j2ZzxQ/buOPgrms9KkWKCx1mBuv/ww9VafRz4KcUXYww/56D/qnTRdk6YHn3JDzIgpIKBMBWpE=
Waiting for server reply...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv9+wGF1zTnKk8cOI1glCSV7d2ZdU/W9NM0SBQVD9eR80zjyutH6dsFZELZwntXTgVZ2VzrUJzUm6VDRSHdgouHtsx18KohB6LkWSTKLaRP2rlr8gDVVEaJATOsaDuUUxnsl4fz3IQlI3NwG2gV1Rn
received 156 byte message
C:
Waiting for server reply...
S: BQQF/wAMAAAAAAAAIGadIAcACADVV2SWyFgBYQjGgjI=
received 32 byte message
Sending response...
C: BQQE/wAMAAAAAAAAJAavIQQACABGf24veox+Unj/tm8=
Negotiation complete
Username: student at REALM3.WS.NSRC.ORG
SSF: 56
Waiting for encoded message...
S: AAAASgUEB/8AAAAAAAAAACBmnSEWwzoBJGiUy8GYzM5PHQtYFCPgiujAv/peAVoxqaZBJi8I69Vd6UAhHSu6WxIUzH75Tp0ELowHP5MV
received 78 byte message
received decoded message 'srv message 1'
sending encrypted message 'client message 1'
C: AAAATQUEBv8AAAAAAAAAACQGryJPsTaZHh+WHbCo6gD+QXegMIbFFKxJhbEh/9KRD/r8ZxGTEtPszRrEcowJoIzSCXHQcCpmN2VPnYuKmk8H
]0;root at pc3: ~root at pc3:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: student at REALM3.WS.NSRC.ORG
Valid starting Expires Service principal
12/31/10 12:46:57 01/01/11 12:46:54 krbtgt/REALM3.WS.NSRC.ORG at REALM3.WS.NSRC.ORG
12/31/10 12:47:31 01/01/11 12:46:54 krbtgt/WS.NSRC.ORG at REALM3.WS.NSRC.ORG
12/31/10 12:47:31 12/31/10 22:47:31 host/noc.ws.nsrc.org at WS.NSRC.ORG
]0;root at pc3: ~root at pc3:~# exit
Script done on Fri 31 Dec 2010 13:07:24 UTC
-------------- next part --------------
Script started on Fri 31 Dec 2010 13:06:03 UTC
]0;root at noc: ~/sasl-examplesroot at noc:~/sasl-examples# ./sample-server -s host -m GSSAPI
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: R1NTQVBJAGCCAmcGCSqGSIb3EgECAgEAboICVjCCAlKgAwIBBaEDAgEOogcDBQAgAAAAo4IBYWGCAV0wggFZoAMCAQWhDRsLV1MuTlNSQy5PUkeiIjAgoAMCAQOhGTAXGwRob3N0Gw9ub2Mud3MubnNyYy5vcmejggEdMIIBGaADAgESoQMCAQKiggELBIIBB1bdtb0wvuEFzgEYHcOe3xsCy/g07eF/aYsJKuAa5GpEZimVnXCckJzbH3XphDKKVYYxb6FD5mHZ4D29vKEwXO4mbYqyoYr2ubfE447Eury06WoStHnPLVFk/UZ9HHGg1SmFwo6xsmGiTNHg6AM1ea/x4TBoPt1/IwmCQ8Iy1KlvUbJz6+UwmRRCJboRH22qrkZhfPkxrFQSV+J+Lc7J//5bf5CUu90MiSEc0tRzWVdmBjHOqagw1d7F+puFcK/a8WPiz7kc9eakW8DCu/IQn/YWCcmjqDgxQtsiJM+Y4mpyuyzJ6/7sxxJnXHxKhVm+hDIU7p88ITi7ghl67B0ngBpX888Hz9ydpIHXMIHUoAMCARKigcwEgckYt7u5JbQR++WfeWOCdVR+MyLTVBUaADUocUsQfUghIGHvAqyXpvhAHtmBhyw53Lj4Tg9/uAlvez7UtfuSqk367bPxZZ0wpO3TgtG3Qumi7Me41JkCmgGtAYTbT7UX2fM9PlFOss7GKTteCYpR5IR9j1oYKAKFgpVFRN3JU3Cti0TbOAwp/OMO3MKpIEBg6FOh3j2ZzxQ/buOPgrms9KkWKCx1mBuv/ww9VafRz4KcUXYww/56D/qnTRdk6YHn3JDzIgpIKBMBWpE=
got 'GSSAPI'
Sending response...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv9+wGF1zTnKk8cOI1glCSV7d2ZdU/W9NM0SBQVD9eR80zjyutH6dsFZELZwntXTgVZ2VzrUJzUm6VDRSHdgouHtsx18KohB6LkWSTKLaRP2rlr8gDVVEaJATOsaDuUUxnsl4fz3IQlI3NwG2gV1Rn
Waiting for client reply...
C:
got ''
Sending response...
S: BQQF/wAMAAAAAAAAIGadIAcACADVV2SWyFgBYQjGgjI=
Waiting for client reply...
C: BQQE/wAMAAAAAAAAJAavIQQACABGf24veox+Unj/tm8=
got '?'
Negotiation complete
Username: student at REALM3.WS.NSRC.ORG
Realm: (NULL)
SSF: 56
sending encrypted message 'srv message 1'
S: AAAASgUEB/8AAAAAAAAAACBmnSEWwzoBJGiUy8GYzM5PHQtYFCPgiujAv/peAVoxqaZBJi8I69Vd6UAhHSu6WxIUzH75Tp0ELowHP5MV
Waiting for encrypted message...
C: AAAATQUEBv8AAAAAAAAAACQGryJPsTaZHh+WHbCo6gD+QXegMIbFFKxJhbEh/9KRD/r8ZxGTEtPszRrEcowJoIzSCXHQcCpmN2VPnYuKmk8H
got ''
recieved decoded message 'client message 1'
]0;root at noc: ~/sasl-examplesroot at noc:~/sasl-examples# exit
Script done on Fri 31 Dec 2010 13:07:25 UTC
More information about the Cyrus-sasl
mailing list