GSSAPI / SASL problems of sasl2-bin on Ubuntu 10.04.4

Dan White dwhite at olp.net
Mon Jul 9 13:15:23 EDT 2012 

On 07/09/12 21:10 +0800, John Mok wrote:
>Hi Dan,
>
>Thanks for your prompt reply.
>
>>Your postfix process is retrieving information, such as postmaps, from an
>>openldap server, using gssapi authentication? Or are you retreiving your
>>postmaps from an Active Directory server?
>
>Yes, I retrieve postmaps from OpenLDAP server using GSSAPI authentication.
>
>>klist (verify that you have a TGT)
>>
>>ldapwhoami -O maxssf=0 -Y GSSAPI ...
>>
>>and use wireshark to capture the interaction, which will show you any
>>errors that the KDC may be providing over the network.
>
>I captured the packets and did not see any particular Kerberos errors 
>from the KDC.

Do you have a TGT in the output of klist?

After performing the ldapwhoami, do you see an ldap/a.b.c at B.C service
ticket in your ticket cache?

>>Is the keytab file being used by postfix, by openldap, or both?
>>
>>Where is your keytab file located? If it is not located in
>>/etc/krb5.keytab, then you will need to add some configuration for
>
>I put the service principals in the default keytab file at 
>/etc/krb5.keytab, and the OpenLDAP user have read access to the 
>keytab.
>
>I succeeded to make it working on Ubuntu 8.04.4, any idea why it did 
>not work out on Ubuntu 10.04.4?

No.

>On 7/6/2012 11:54 PM, Dan White wrote:
>>On 07/06/12 23:11 +0800, John Mok wrote:
>>>When I tried libsasl2-modules-gssapi-mit, it returned (key table 
>>>entry not found). When I tried libsasl2-modules-gssapi-heimdal, 
>>>it returned "No credentials were supplied, or the credentials 
>>>were unavailable or inaccessible ...". I checked with ktutil list 
>>>and it listed the kerberos principals from Windows 2003 
>>>correctly.

Do you see any errors in syslog on the openldap server when restarting
slapd? Do you see any relevant log activity on your kdc when you restart
slapd?

Are you sure that slapd is searching for the correct entry within your
keytab? You may need to specify olcSaslHost and/or olcSaslRealm in your
slapd-config to tell it which entry to use.

I have seen packet size problems before in this scenario, when talking to
an Active Directory server, and had to add this to my /etc/krb5.conf file
(notice the tcp/ addition):

[realms]
         EXAMPLE.COM = {
                 kdc = tcp/windows01.example.com
                 kdc = windows01.example.com
                 admin_server = windows01.example.com
         }

>>for the client side ldapwhoami attempt, try:
>>
>>klist (verify that you have a TGT)
>>
>>ldapwhoami -O maxssf=0 -Y GSSAPI ...
>>
>>and use wireshark to capture the interaction, which will show you any
>>errors that the KDC may be providing over the network.
>>
>>adding '-d -1' may also be helpful. Check your syslog output (auth
>>facility) for any sasl errors.

-- 
Dan White

More information about the Cyrus-sasl mailing list