 | | | saslauthd GSSAPI not working | saslauthd GSSAPI not working 2005-09-12 - By Matthew B. Brookover
Back
I have redhat enterprise 3, release 5. I have Kerberos running and I
can login. The ldap servers use sasl/gssapi and also works fine.
These sasl and kerberos RPMs are installed:
cyrus-sasl-2.1.15-10
cyrus-sasl-devel-2.1.15-10
cyrus-sasl-plain-2.1.15-10
cyrus-sasl-md5-2.1.15-10
cyrus-sasl-gssapi-2.1.15-10
pam_krb5-1.75-1
krb5-devel-1.2.7-47
krb5-server-1.2.7-47
krb5-workstation-1.2.7-47
krb5-libs-1.2.7-47
I tried to install uw-imap with Kerberos support and could not
authenticate. After some digging I tried to run the test tools that are
part of the development package.
Step 1, start up saslauthd:
[root@(protected) mbrookov]# saslauthd -a kerberos5
[root@(protected) mbrookov]# ps auxww | grep saslauthd
root 20542 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a
kerberos5
root 20543 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a
kerberos5
root 20544 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a
kerberos5
root 20545 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a
kerberos5
root 20546 0.0 0.0 2380 708 ? S 10:47 0:00 saslauthd -a
kerberos5
root 20548 0.0 0.0 3684 664 pts/3 S 10:47 0:00 grep saslauthd
[root@(protected) mbrookov]#
By default, sasl2-sample-server uses a service principal named rcmd. So
I created it and put it in a keytab and set $KRB5_KTNAME to point to it.
[mbrookov@(protected) mbrookov]$ klist -k $KRB5_KTNAME -e -t
Keytab name: FILE:/u/mx/ch/mbrookov/krb5.keytab
KVNO Timestamp Principal
---- -- ---- ---- ---- -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@(protected) (ArcFour with HMAC/md5)
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@(protected) (DES cbc mode with RSA
-MD5)
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@(protected) (Triple DES cbc mode
with HMAC/sha1)
3 09/12/05 09:57:20 rcmd/imagine.mines.edu@(protected) (etype 18)
[mbrookov@(protected) mbrookov]$
I then ran kinit and started up sasl2-sample-server:
[mbrookov@(protected) mbrookov]$ sasl2-sample-server
trying 10, 1, 6
socket: Address family not supported by protocol
trying 2, 1, 6
accepted new connection
send: {48}
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
recv: {6}
GSSAPI
recv: {1}
Y
recv: {562}
`[82][2].[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2][1D]0[82][2][19][A0][3]
[2][1][5]
[A1][3][2][1][E][A2][7][3][5][0] [0][0][0][A3][82][1]=a[82][1]90[82][1]5[A0][3]
[2][1][5]
[A1][B][1B][9]MINES.EDU[A2]$0"[A0][3][2][1][3][A1][1B]0[19][1B][4]rcmd[1B][11
]imagine.mines.edu
[A3][81][FA]0[81][F7][A0][3][2][1][17][A1][3][2][1][3][A2][81][EA][4][81][E7]
[15][A9][7]
[CC][B0][CE][D4][98][16][9B]2[AE][A1][D5][DB][13][A7][B0]:[D6][FD][C8]k[FF]hR
[98][17][86]
[CA]C[C4]j)[15][8A]c[18][91][F5]4[E5][1F][BB][99]I[E9][C5]w[FA][3]'[F5]_[1B][DE
]N0[CE]
[FC][CD][1D][9E][F1][1][1B]][C8][E7][80][D5][D9][BE][E8][A][CF][B4]dd[A7][FA]
[E3]K[5][9F]
[DF][83][8A][8C]=[10]Z [EB]g[E8]k[90][D3]A[E][9A]x[A6][CD]_&[C9][8E][A8]:[C6]
[BD][B0][82]
[7F]u[8C][3]BQ[B1][BF][FC][B1][B8][FC]C[EA][FA]P6r_[BC][83][EF][1C]k[92]q[99]
[B7].[8A]uW[B9]
s[83][8D]tl[E2][9D]O}q[F3][A2][88]_[C7]C[C5][D5][7][94][E0][BF]u[AA]7D[3][AF]
[CA];[8D]j^
[19][7]`[84][19][92][u[CA],[6][E5][5]`[A][B]x[C4]}N[D0][D6][2][9E][16]5[E4][C]K
[DB][96]
u'E}[B1][90][1E][90][86][1B][BD]r[CD],[F8][12][E6][6][A4][81][C2]0[81][BF][A0]
[3][2][1]
[10][A2][81][B7][4][81][B4]KFy[2]/_[84][B2][BD][D7][ED][B6][AE]|"yx[97][D2][F1]
[E1]N[F9]
[2][BE]#[9A]s+(Y[3][CC]~[82][5][8]r[AB][E8][E5][83]D[AC][E0][C9][A9]W[8D][BF]e
[F8][CF]#
[D2]o[D5]=[A][B9][8C][B9][FC][x[8D][E1][A0][9B][EB][F4][EE][DE]"k[F3]BVS4d#[D]
[94]1[85]
[8D]d[5][90];[C2][FE]\g[16][8F]][C1]Ni|r[B0][A][87][ED][C6][1D][C3][8A][E][8B](
[E5][EF]
[E9]ns[1A][FF]E\n[9D][A6][1D]mGW[3][EB]%[EB]:[92][F3][9A][A8][BE][9A][FF][87]
[A8][DA][90]
[5][D][1][F9][A1]wP[DD][91][DD][AD]w[91]w[C4][A6][A2]Q[D6]jY[E7][1F][90][CF][E2
][81][A3]
[BE][17][1D]L[DF][E6]
starting SASL negotiation: authentication failureclosing connection
The sasl2-sample-client output:
[mbrookov@(protected) mbrookov]$ sasl2-sample-client imagine.mines.edu
receiving capability list... recv: {48}
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
please enter an authorization id: mbrookov
send: {6}
GSSAPI
send: {1}
Y
send: {562}
`[82][2].[6][9]*[86]H[86][F7][12][1][2][2][1][0]n[82][2][1D]0[82][2][19][A0][3]
[2][1][5]
[A1][3][2][1][E][A2][7][3][5][0] [0][0][0][A3][82][1]=a[82][1]90[82][1]5[A0][3]
[2][1][5]
[A1][B][1B][9]MINES.EDU[A2]$0"[A0][3][2][1][3][A1][1B]0[19][1B][4]rcmd[1B][11
]imagine.mines.edu
[A3][81][FA]0[81][F7][A0][3][2][1][17][A1][3][2][1][3][A2][81][EA][4][81][E7]
[15][A9][7]
[CC][B0][CE][D4][98][16][9B]2[AE][A1][D5][DB][13][A7][B0]:[D6][FD][C8]k[FF]hR
[98][17][86]
[CA]C[C4]j)[15][8A]c[18][91][F5]4[E5][1F][BB][99]I[E9][C5]w[FA][3]'[F5]_[1B][DE
]N0[CE]
[FC][CD][1D][9E][F1][1][1B]][C8][E7][80][D5][D9][BE][E8][A][CF][B4]dd[A7][FA]
[E3]K[5][9F]
[DF][83][8A][8C]=[10]Z [EB]g[E8]k[90][D3]A[E][9A]x[A6][CD]_&[C9][8E][A8]:[C6]
[BD][B0][82]
[7F]u[8C][3]BQ[B1][BF][FC][B1][B8][FC]C[EA][FA]P6r_[BC][83][EF][1C]k[92]q[99]
[B7].[8A]uW[B9]
s[83][8D]tl[E2][9D]O}q[F3][A2][88]_[C7]C[C5][D5][7][94][E0][BF]u[AA]7D[3][AF]
[CA];[8D]j^[19]
[7]`[84][19][92][u[CA],[6][E5][5]`[A][B]x[C4]}N[D0][D6][2][9E][16]5[E4][C]K[DB]
[96] u'E}[B1]
[90][1E][90][86][1B][BD]r[CD],[F8][12][E6][6][A4][81][C2]0[81][BF][A0][3][2][1]
[10][A2][81]
[B7][4][81][B4]KFy[2]/_[84][B2][BD][D7][ED][B6][AE]|"yx[97][D2][F1][E1]N[F9][2]
[BE]#[9A]
s+(Y[3][CC]~[82][5][8]r[AB][E8][E5][83]D[AC][E0][C9][A9]W[8D][BF]e[F8][CF]#[D2
]o[D5]=[A]
[B9][8C][B9][FC][x[8D][E1][A0][9B][EB][F4][EE][DE]"k[F3]BVS4d#[D][94]1[85][8D]d
[5][90];[C2]
[FE]\g[16][8F]][C1]Ni|r[B0][A][87][ED][C6][1D][C3][8A][E][8B]([E5][EF][E9]ns[1A
][FF]E\n[9D]
[A6][1D]mGW[3][EB]%[EB]:[92][F3][9A][A8][BE][9A][FF][87][A8][DA][90][5][D][1]
[F9][A1]wP[DD]
[91][DD][AD]w[91]w[C4][A6][A2]Q[D6]jY[E7][1F][90][CF][E2][81][A3][BE][17][1D]L
[DF][E6]
authentication failed
closing connection
[mbrookov@(protected) mbrookov]$ klist
Ticket cache: FILE:/tmp/krb5cc_5467_PafttD
Default principal: mbrookov@(protected)
Valid starting Expires Service principal
09/12/05 10:52:18 09/12/05 20:52:33 krbtgt/MINES.EDU@(protected)
09/12/05 10:52:31 09/12/05 20:52:33 rcmd/imagine.mines.edu@(protected)
Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov@(protected) mbrookov]$
>From the klist ouput, sasl is finding the rcmd service principal and
loading into the cache, then reporting the authentication failure.
Does any body have any idea why?
Thank you for your assistance.
Matt Brookover
mbrookov@(protected)
303-273-3436
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
Earn $52 per hosting referral at Lunarpages.
|
|
|