From sachi059 at gmail.com Wed May 1 23:57:27 2019 From: sachi059 at gmail.com (sachidananda sahu) Date: Thu, 2 May 2019 09:27:27 +0530 Subject: No worthy mechs found error in SASL library Message-ID: Hi All, I recently upgraded the cyrus sasl library to 2.1.27 version, during bind i am getting error as" no mechanism available : No worthy mechs found". Then i checked the data structure of mech list in sasl_client_start function(lib/client.c) in conn->mech_list only one entry exist which is external, for this should to work it should contain another entry gssaviv2 which is not there now. Can any one help when this mechs get filled ? Do i need to add any configuration ? After getting the source code i modified based for solving cross compilation issue using these 2 patch for m4/sasl2.m4 and using autoconf generated new code. https://github.com/NixOS/nixpkgs/commit/b13af1e87b26a3ee7d81c4b237710a93e1f243e8#diff-8ed960f8cd7aae64c626d5dd91898211 https://github.com/openembedded/meta-openembedded/blob/master/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/avoid-to-call-AC_TRY_RUN.patch -- Regards, Sachidananda Sahu -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan-fon.fan at intel.com Thu May 23 14:47:32 2019 From: jan-fon.fan at intel.com (Fan, Jan-fon) Date: Thu, 23 May 2019 18:47:32 +0000 Subject: Kerberos authentication using GSSAPI Message-ID: <684040828C8F6840861208EC965902B2AEFE498E@ORSMSX103.amr.corp.intel.com> Hi, I have been using a Python client script to do the authentication in our Linux environment and it's working properly. Now I need to write a C program to do the authentication and I am choosing Cyrus 2.1.27. After installation, I ran pluginviewer and it showed: Installed and properly configured SASL (client side) mechanisms are: GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS Available SASL (client side) mechanisms matching your criteria are: GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS So I think the installation is OK. But after more than one week of trying, I am not able to make it work. Currently I got "generic failure" error message from the sasl_client_step. I will be appreciated if someone can send me a sample client program using GSSAPI mechanism. Below is my code: int result; const char *data; unsigned len; const char *sasl_impl, *sasl_ver; sasl_interact_t *interactions = NULL; sasl_conn_t *conn; const char *chosenmech; char buf[2048]; sasl_security_properties_t secprops = {56, 256, 2048, SASL_SEC_PASS_CREDENTIALS, NULL, NULL }; sasl_callback_t callbacks[] = { { SASL_CB_AUTHNAME, NULL, NULL }, { SASL_CB_PASS, NULL, NULL }, { SASL_CB_LIST_END, NULL, NULL }}; result = sasl_client_init(callbacks); result = sasl_client_new("HTTP", "SCVIMOPXJDAPP01.INTEL.COM", NULL, NULL, NULL, callbacks, SASL_SUCCESS_DATA, &conn); sasl_setprop(conn, SASL_SEC_PROPS, &secprops); result=sasl_client_start(conn, "GSSAPI", &interactions, &data, &len, &chosenmech); result = sasl_client_step(conn, NULL, NULL, NULL, &data, &len); while (result == SASL_CONTINUE) { strcpy(buf, data); data=NULL; result = sasl_client_step(conn, buf, len, NULL, &data, &len); } After the while loop, the result is -1 (generic failure). Thanks, Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu May 23 16:04:08 2019 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 May 2019 16:04:08 -0400 Subject: Kerberos authentication using GSSAPI In-Reply-To: <684040828C8F6840861208EC965902B2AEFE498E@ORSMSX103.amr.corp.intel.com> References: <684040828C8F6840861208EC965902B2AEFE498E@ORSMSX103.amr.corp.intel.com> Message-ID: <49a671e43c0639eaf55a0da0c5d5f69da13cd87a.camel@redhat.com> Are you able to obtain proper kerberos credentials outside of sasl ? I would make sure you can manually get that going first. Simo. On Thu, 2019-05-23 at 18:47 +0000, Fan, Jan-fon wrote: > Hi, > I have been using a Python client script to do the authentication in our Linux environment and it's working properly. > Now I need to write a C program to do the authentication and I am choosing Cyrus 2.1.27. > After installation, I ran pluginviewer and it showed: > > Installed and properly configured SASL (client side) mechanisms are: > GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS > Available SASL (client side) mechanisms matching your criteria are: > GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN ANONYMOUS > > So I think the installation is OK. > > But after more than one week of trying, I am not able to make it work. Currently I got "generic failure" error message from the sasl_client_step. > I will be appreciated if someone can send me a sample client program using GSSAPI mechanism. > Below is my code: > > int result; > const char *data; > unsigned len; > const char *sasl_impl, *sasl_ver; > sasl_interact_t *interactions = NULL; > sasl_conn_t *conn; > const char *chosenmech; > char buf[2048]; > > sasl_security_properties_t secprops = {56, 256, 2048, SASL_SEC_PASS_CREDENTIALS, NULL, NULL }; > > sasl_callback_t callbacks[] = { > { SASL_CB_AUTHNAME, NULL, NULL }, > { SASL_CB_PASS, NULL, NULL }, > { SASL_CB_LIST_END, NULL, NULL }}; > > result = sasl_client_init(callbacks); > > result = sasl_client_new("HTTP", "SCVIMOPXJDAPP01.INTEL.COM", NULL, NULL, NULL, callbacks, SASL_SUCCESS_DATA, &conn); > > sasl_setprop(conn, SASL_SEC_PROPS, &secprops); > > result=sasl_client_start(conn, "GSSAPI", &interactions, &data, &len, &chosenmech); > > result = sasl_client_step(conn, NULL, NULL, NULL, &data, &len); > while (result == SASL_CONTINUE) { > strcpy(buf, data); > data=NULL; > result = sasl_client_step(conn, buf, len, NULL, &data, &len); > } > > After the while loop, the result is -1 (generic failure). > > Thanks, > Jan -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From jan-fon.fan at intel.com Thu May 23 17:22:20 2019 From: jan-fon.fan at intel.com (Fan, Jan-fon) Date: Thu, 23 May 2019 21:22:20 +0000 Subject: Kerberos authentication using GSSAPI In-Reply-To: <49a671e43c0639eaf55a0da0c5d5f69da13cd87a.camel@redhat.com> References: <684040828C8F6840861208EC965902B2AEFE498E@ORSMSX103.amr.corp.intel.com> <49a671e43c0639eaf55a0da0c5d5f69da13cd87a.camel@redhat.com> Message-ID: <684040828C8F6840861208EC965902B2AEFE4CB5@ORSMSX103.amr.corp.intel.com> Hi Simo, Yes, I can use a Kerberos client script in Python to authenticate successfully. Below is the result of the Python script in which you can see that I can get the key from KDC after authenticated. iscca3005:jfan:252: KerberosTicket.py Got key and prepare for web service call: 'Authorization': 'Negotiate YIINrwYJKoZIhvcSAQICAQBugg2eMIINmqADAgEFoQMCAQ6iBwMFACAAAACjggyrYYIMpzCCDKOgAwIBBaEUGxJBTVIuQ09SUC5JTlRFTC5DT02iNTAzoAMCAQOhLDAqGwRIVFRQGyJzY3ZpbW9weGpkYXBwMDEuYW1yLmNvcnAuaW50ZWwuY29to4IMTTCCDEmgAwIBEqEDAgEmooIMOwSCDDfyasgCujOFR/7sRMFKZT0Qz8gUVnQhAzUAMsodrLKvY6kgNZEz5yI5djUQRqLQPNQ0++yrk9MV2SJRQll7u1AcOXw6/FuPWaon2gyL5Q+eUrFxe7Z9XLd2UNaPjRbOBT+oEeF5nHEtvr575FFZcI4aXPX83DukLksJlVMDXfM10eGlVphw+QWLXXGMeAMB+MoYrRyeiZ2bHsZwsf6GeNu8fnQ6aoX0nmwP3h2OXm5fk6nb5FSRbXP2qpbmGWi4VN2D3LWhOu0EwYIf/Sca1n4ro8USpQYhoMwOMS3/+KZM3HN40Eq6tvQ2uItgAG4obHhPeu3hCFOaFwMfpsvHNAsdco9nnjcmWDoGZ4Em/Mw3mX1LI6zlbiBKx8BXaxiTUUzZXl/nE/uIgVclt2/Jn19DzOiKnSmC+Ovr5Ozf773U1HGFNNhlL+zLQZBxEU6PpT43i9s2y/kxzcERLT+ldC1wASueNhzO3e9s5jpfBGPk/fv8p149r/ahSdQqyFyX9ljH2N1/69sZ6xuLHU3ol7HpwIt0OjEEA7XcM5zLSxK4TncJwN6fMZxXOMoaAP6IDnPzh5MG5yh1MLK1t/zkmz/ZpPDboJQtPhutYRK1waT3nZgV/BDdEvmub+gJGgGNqlfAbXBAylsEJn79FIq+1zt6MNfwQIM11hXGxViZ6E2Ohc9bpC9sUkTR+4vEqJD+tYmHs6e8UapLg7HaeGZ1WTijRck73G3E+8gyvpjiQOsR0bNtRzbYJICMH8f+5T/loJuVse8w59W93QYo/5E3chT+rR//1kwA5NNPhNKgK4w78j/XFGQSL15a40A7aF2VU7r+mvbBsYiOMrEa+oi+28Wr9Ys6ROe4UVk51zPRocVt5GN4uweT8XRLt+VN1bC2+/14AfIBafVsgs0VYJAs4m8MyqHwMsamzD0teltGqqCjK2SNgZi5G69BE4nikmL2RD6aG1FVFnxkHHDM5H1lPWLN/b0GM4S3Fo6OXeT/26TiP6GqIO1z8w2b2FIdILkqRl4GWNUP+l/lq723hyy3Plgpd89v3aF5tXjLxanzQpxPQfK8FQ1rWx2n0Y31S67UScIV0oC1TFk7od9juZ0Vv2WZStekKPLWBMPYmc5HlD/9w626VaxUHiDclR7kr4V9nRXGc/11V5UiiU5x1XXn400ruB8WkKFPCaZT5uETg0GiEjAFhoxrBZTyP4/cwvLGDECsq2Gi9O2h3Yan5EsTyVmCiEpZCoVqw9K7bw8npMgTgYxnx9xO5H/cwXo/OFeirneE9/49c8a2hhzueHi3+7AxSDtwQmIRtrbKC1G5q6o9ZJm3emKbCi3grvlKgcyeSP8CovvFBoWYD0VSUMGQXtTnUEFAh6kGvF9ioqV2AqSBpNkUSdv1Fxy4tNojDGR3ZKjQLAUwFu2Jo1z7RWH+nUmyBOF6aCEfwvaKV6TsOrHIN9Uw3shiqTBc8HHtS/+1Y4/Sjq1hBiGC5zfwEPCHMV1p3opMqdTDeMEWbebo5bAGqNDWh5ocXF167eNSPhXkzFGh3R84g98zwhlOEUiTWL3UF8I1k1fQVs8pZtnrPw9fe03iRLTPG82iYbGFS+WDplMp2lx61e3OT5pStR/bjHJh/Ogk/s6jrIDs0VJNauyda5PNbDMkN9gjU8z7oh1o/pSO0IH6czJwNmU1TyTiEklih7V9aufCanJ6v3BjX9XwYnoHMuXNFJOibvGtSuiMwtm8o+HFp82zFo/PT9Jhuojb4HuXV8tVLp5fIspgXr1RWPlNMtZqP8X0AuPLox7I6CSVXYEbNT6j2juf4Ll9/5Df01GgLOnqGflaVGGwh61f3MRrwDnQxuvJujzG6umw1L45i6KgHYJ6c0qRuIBPD+Ymi24TJ8PT6YrhZtiIlRNK9dU5M5wwTtlhh3dRqikXf6KZabrR3dX4ZSSRMEVpoI49uk3wkmpF3C5R7ed+3XNYwUrdkKoZW1j/2+qvQ/CFEUPA7hNmCwc8+ZmaGRVqe8Up+yYJlmMV3oQQQFDxoaJOmkACjslIir5d5ihI1uqf4AOA49vFfolBI9XXLYW2MSDY5lx6a9o4W1CVHx2UOJAeeEmnhKzizN2d7zDrG/dvut0ERtO6prm18BBJXCAwQ8Oprgk8UKLzb8nLufNNjZFZglcllta9tJHV9CtMTyWdc0oYp5oSZVCQImUYww9TsFGd15Snumx8uMXBXi28Sd8CGQNsNqLoBRsz39FetzX0YRTJupIiLFJw/rynEP4anZARGnLGsab1JJEMEeuxjZthBuOPZiOlR2Fsnh10R4tPuNY1ipRESixDDpqifsoIBaWL2+JUXv+3/3y4G1LzEXoVumpRzC3s5C5ao4J6278TFXz2XP9CePCrZlPcgGelXV8TohWiW5m4pvjo75miDE92Z+mt/NnHMujJesO9b9uuCm4W/TlXF5Nl+Aa4OUN+f4ZtyqnuyIe/Pd4aKT1Gn6Hf1ph6jnzBBKmJhKrKkomgTXf11XwiOByt6dCdQfv6h7xuxAAy+J46OKttQs8tmx4nxPrkie0A8wvYX3pQeucq+Up4Gg6CRnx1Ri4GRuIPFXSK9iUVqCEB3cJnnKE61NJzTeUPMR9ZrdAilGI3PV1uIJa2Unph7PNtkQy72ZAxPRC425ZPSJPy5PUfNinVVTe+bgwbi0g/Oc1WYJkh+E1mbTt9rkd+McWty9Bqnja8x+JRyW2RriSuvWDlfSYjxhJMT3UOmadWR4fGH+kGXlKY1C8MY/7zXqLXvHlTed5TWTJkY/xtp4TzStxq/nhPKfP5Tu+H+KyGXiYmoag5aIm3TiWKXFLxNECqAuHZ2InZjGyD6U+6438vqxmartO7aFQXu7T6dx0yILSMUQYQQbGXfKXwrSKCY9z+ait1T9TbTCHVx8+HNjOZlpKt+7HwdOFcROHWSpIu0yFyaxKoRLVDAWAQavzVV0F+TOv+EppJVlJMouoPJR7FZnhMVszkcavPbZk51k14AjfuwAjEbMQ5LGULA5TEThRvaNvpDHPQk0zl7ZztNDmEPAixl+3z5QNbG8J3HFLamjIC0klBxAji8Lqq7Pgoj2myYGQ9albpJDiVtQFYNmpt608DyRsp+C9fwk8aDLkAjSaaoONcCjb+ipvtr5LY/h8NACCYTymhIQ2DavbnH8OMdJgs1DY58oW0uHTp9YEuffj8BSEzOtqrubqKnakzRKrsmbkEjDgBNMZ29abysDZI0+TO1sOvGeCH1IOcar/hGeZv96baj9xwmfahJ6371cdA0lhA/026ilh3SNcYY5KIYxMNKbEDiwagc5BFa9F2UiVAFKv3FL4oIVy5MtUS9hIN7dtzSsZIra4aLbxneRxFrJpym23QSlvCMUQFqg2pnt8KExaFATWIVBiS0TBEJtr2hYLPP2jiALftf3f0cCEh3ZyMd+QEor/jH1UngAs8eTqk1y0rwCqFqxc+L0wIc2A42xttqj6dSy1a28p8V/FQWkbBzMbftxrGJe2xr0NwtrPJWxT24IaEFTRojFgUfWMJcgaUFy+x44pk7HS8aIZc57pZu9T70W8sqFLMJlmJlUKoYMurD8n1Guva+McomG8vxGzvFWKA8Ya+pAn10KL3RPDgb0hpNJq/KBhy17dySvPIpdSjBHShxBE4wjOqvLr3OnLOor08odzjDhS5Ci+3pFrR13sQs7yamIWZkVL/1tlNLKimybxpeYqaNL6QUR1gjVf5rfCA+8eYmWTzvpQXq97kftNKr6Bd8zXUKbUDkz1ESN9GZ6wwkKL7/a6Pg5SJTP59sBFZYW+QDjOACFXoddJiBivUaEPLEGC2/jNeAXBQuBD524Xqww1KrfVMXVkV950tUyZyE9bGXijbNZeD1/9uulPYxWBEvR/HCCbQsuLqaJIXKNjn1jySTzlXHPRlNxr4nr7fnasqJhrZWLkdtB8kQA428k+7ldFht2UcWTmiEa6UcL4a6n1CRU4IXzjIZ0facjv+j7mw37oCmfTR5rDL84tx/C/5lbQoQfLfZVkmXox/fAQU4jtHjIGc85eH82v/9GMQ8rRo9SkOrHiXkvKfb2GEjJXNG8tKxfO8egg5Xx/4QvEGwlO9wDTA1y0iE8A6OocSDZaQAfkLgWQ7wagfSESfSwPuJsI1U3f4+3kgsUlTxSlddqGlD38Rtcu+pIHVMIHSoAMCARKigcoEgccErTN+cgLl02mlUOjUHjWqACjHHmcJeU3EEhZO3T6iX0Ze1fOruapw0ZZlo729oCjn/P5QPceZ7HjwKr1V56gBTJ9MCy81mZhGB7haNyEJd/2jBV+ndn+klyq87j5yJ/xRTPo7dkcu6dFYpP/bqeZSfkZYjATKSvt+t46Ku1k5sJLr86FSQpeDnL8JpolaYMHiFM2MVDIfqRpipNsdOpSzViKCDW1kP6Cyf3aZpcr1arJAKlAVk8D4XeU31bsRXzoev4IXc0AC' Thank you. Jan -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Thursday, May 23, 2019 1:04 PM To: Fan, Jan-fon ; Cyrus-sasl at lists.andrew.cmu.edu Subject: Re: Kerberos authentication using GSSAPI Are you able to obtain proper kerberos credentials outside of sasl ? I would make sure you can manually get that going first. Simo. On Thu, 2019-05-23 at 18:47 +0000, Fan, Jan-fon wrote: > Hi, > I have been using a Python client script to do the authentication in our Linux environment and it's working properly. > Now I need to write a C program to do the authentication and I am choosing Cyrus 2.1.27. > After installation, I ran pluginviewer and it showed: > > Installed and properly configured SASL (client side) mechanisms are: > GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN > ANONYMOUS Available SASL (client side) mechanisms matching your criteria are: > GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN > ANONYMOUS > > So I think the installation is OK. > > But after more than one week of trying, I am not able to make it work. Currently I got "generic failure" error message from the sasl_client_step. > I will be appreciated if someone can send me a sample client program using GSSAPI mechanism. > Below is my code: > > int result; > const char *data; > unsigned len; > const char *sasl_impl, *sasl_ver; > sasl_interact_t *interactions = NULL; > sasl_conn_t *conn; > const char *chosenmech; > char buf[2048]; > > sasl_security_properties_t secprops = {56, 256, 2048, > SASL_SEC_PASS_CREDENTIALS, NULL, NULL }; > > sasl_callback_t callbacks[] = { > { SASL_CB_AUTHNAME, NULL, NULL }, > { SASL_CB_PASS, NULL, NULL }, > { SASL_CB_LIST_END, NULL, NULL }}; > > result = sasl_client_init(callbacks); > > result = sasl_client_new("HTTP", "SCVIMOPXJDAPP01.INTEL.COM", NULL, > NULL, NULL, callbacks, SASL_SUCCESS_DATA, &conn); > > sasl_setprop(conn, SASL_SEC_PROPS, &secprops); > > result=sasl_client_start(conn, "GSSAPI", &interactions, &data, &len, > &chosenmech); > > result = sasl_client_step(conn, NULL, NULL, NULL, &data, &len); while > (result == SASL_CONTINUE) { > strcpy(buf, data); > data=NULL; > result = sasl_client_step(conn, buf, len, NULL, &data, > &len); } > > After the while loop, the result is -1 (generic failure). > > Thanks, > Jan -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc From quanah at symas.com Thu May 23 17:36:30 2019 From: quanah at symas.com (Quanah Gibson-Mount) Date: Thu, 23 May 2019 14:36:30 -0700 Subject: Kerberos authentication using GSSAPI In-Reply-To: <684040828C8F6840861208EC965902B2AEFE498E@ORSMSX103.amr.corp.intel.com> References: <684040828C8F6840861208EC965902B2AEFE498E@ORSMSX103.amr.corp.intel.com> Message-ID: --On Thursday, May 23, 2019 7:47 PM +0000 "Fan, Jan-fon" wrote: > I will be appreciated if someone can send me a sample client program > using GSSAPI mechanism. There is a sample server and sample client that are in the source tarball. You could also look at what OpenLDAP's clients do. Source for OpenLDAP is also freely available. Hope that helps! --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: