RE: [opensuse] suse in a windows network (authentication)
i was wondering if I could somehow make my suse (10) authenticate versus my windows 2003 domain controller. I configured both ldap client and kerberos client in Yast2. Authentication works (the kerberos part).. but I still cannot log in because ldap isn't able to fetch user account information from my active directory which is because it's not using the kerberos credidentials to establish a gssapi connection.
So I set up shell/home information in /etc/passwd. No password. Passwords are still being retrieved from the domain controller via kerberos. Big surprise -> login works. If I now issue a ldapsearch with the filter it already tried before (but with no valid bind) "(&(objectclass=User)(msSFU30Name=testuser))" it starts a SASL/GSSAPI authentication and successfully fetches the needed information. Why doesn't ldap use gssapi on logins then.. or where can I tell it to use it? Couldn't find any suitable option in Yast nor the config files themselves.
I don't know about using doing this with ldap directly, but if you have Kerberos working and you've successfully joined your computer to the domain. You're really close. Let's test to make sure. Do the following as root from the command line: To test Kerberos: kinit administrator The above command will prompt for a password. Enter the password of your 2K3 domain administrator. If you have renamed your domain administrator account use the name instead with the kinit command. If you receive no errors Kerberos is working. To test winbind: wbinfo -g The above command should give you a list of groups in you Active directory. Try it with the -u switch to see a list of users. Let us know what your results are and we can help you further. Cheers, Daniel
2005/10/31, Daniel Hatfield
I don't know about using doing this with ldap directly, but if you have Kerberos working and you've successfully joined your computer to the domain. You're really close. Let's test to make sure. Do the following as root from the command line:
To test Kerberos:
kinit administrator
The above command will prompt for a password. Enter the password of your 2K3 domain administrator. If you have renamed your domain administrator account use the name instead with the kinit command. If you receive no errors Kerberos is working.
To test winbind:
wbinfo -g
The above command should give you a list of groups in you Active directory. Try it with the -u switch to see a list of users.
Let us know what your results are and we can help you further.
Cheers, Daniel
first of all thank you for your replies, I really appreciate that. As I said before the kerberos part is pretty straight forward.. I never encountered any serious problems on this side. Packetyzer Trace: Kerberos AS-REP Pvno: 5 MSG Type: AS-REP (11) Client Realm: LINUX.LOCAL Client Name (Principal): Administrator Name-type: Principal (1) Name: Administrator Ticket Tkt-vno: 5 Realm: LINUX.LOCAL Server Name (Unknown): krbtgt/LINUX.LOCAL Name-type: Unknown (0) Name: krbtgt Name: LINUX.LOCAL enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 2 enc-part: 08561DE7EE73917EAB22B1B3E1DC1FE4E24F14BD18E39CF3... enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 1 enc-part: 2E1EDFF75F9DB3CA00736E7B3A4DE074E6A398E0810B415E... playground:~ # klist -e -5: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@LINUX.LOCAL Valid starting Expires Service principal 11/02/05 07:22:07 11/02/05 17:22:15 krbtgt/LINUX.LOCAL@LINUX.LOCAL renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 A packet sniffer proofed to be quite helpful here. If I try to log in as a domain user it first does the kerberos authentication (PAM: auth) and then tries to get account information via ldap (PAM: account). The problem is, ldapsearch tries to bind using the "simple" method (-x parameter). Some windows registry hacking would allow Active Directory to allow anonymous searches but that's not in my interest. Neither is a dedicated user with a locally stored plaintext password in ldap.secret. If I issue a ldapsearch with a tgt (ticket) present I get quite reasonable results: playground:/etc # ldapsearch "(&(objectclass=User)(msSFU30Name=testuser))" |head -20 SASL/GSSAPI authentication started SASL username: Administrator@LINUX.LOCAL SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (&(objectclass=User)(msSFU30Name=testuser)) # requesting: ALL # # testuser, Users, linux.local dn: CN=testuser,CN=Users,DC=linux,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testuser givenName: testuser distinguishedName: CN=testuser,CN=Users,DC=linux,DC=local instanceType: 4 whenCreated: 20051020072831.0Z whenChanged: 20051031100055.0Z ... and once again: playground:/etc # klist -e -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@LINUX.LOCAL Valid starting Expires Service principal 11/02/05 07:22:07 11/02/05 17:22:15 krbtgt/LINUX.LOCAL@LINUX.LOCAL renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 11/02/05 07:44:54 11/02/05 17:22:15 ldap/linuxdc.linux.local@LINUX.LOCAL renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 now I do have a service ticket for the ldap service as well (good!). I didn't test the winbind stuff as I do not want to use samba but ldap (natively supported by Active Directory). Does anyone know how I can tell ldap to use GSSAPI instead of simple auth while logging in? "use_sasl on" and "sasl_mech gssapi" didn't really point out to be helpful at all :-( Thanks in advance Roman
further investigations showed ldap is not using gssapi on login because it doesn't see a credidentials cache file. /var/log/messages: Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: pam_krb5[7478]: error resolving user name 'testuser' to uid/gid pair Nov 2 08:56:27 playground login[7478]: pam_krb5[7478]: error getting information about 'testuser' Nov 2 08:56:29 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:29 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:29 playground login[7478]: FAILED LOGIN 2 FROM /dev/tty2 FOR UNKNOWN, User not known to the underlying authentication module the error can partially be avoided by specifying a kerberos creditentials file in /etc/ldap.conf (krb5_ccname FILE:/tmp/.ldapcc) /var/log/messages Nov 2 08:57:22 playground login[7529]: pam_krb5[7529]: authentication succeeds for 'testuser' (testuser@LINUX.LOCAL) // **1 Nov 2 08:57:22 playground login[7529]: pam_ldap: ldap_search_s Operations error / **2 Nov 2 08:57:22 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) / **3 Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) / **4 Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) ** 1: kerberos authentification succeeded. ** 2: simple bind, search of course fails.. ** 3: actually the value returned is 0x0E (saslBindInProgress) ** 4: still something can't find my creditentials cache file although it's statically specified. Something is not standing to the rules. and it is not doing _any_ ldapsearches at all.. just a dozen of bind requests :-/ any hints? thanks in advance Roman
participants (2)
-
Daniel Hatfield
-
Roman Sommer