Kurt D. Zeilenga | 1 Jun 03:37 2004

RE: Heimdal/OpenLDAP/Samba howto and bugreport

At 12:22 PM 5/31/2004, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-heimdal-discuss <at> sics.se
>> [mailto:owner-heimdal-discuss <at> sics.se]On Behalf Of Kurt D. Zeilenga
>
>> Regarding commenting out sasl-secprops minssf=128, it might
>> be better to instead lower the minssf to 70.  The base SSF of
>> ldapi:// is currently 71.  We figured that use of ldapi:// was better
>> than weak encryption (<65) but not as good as stronger
>> encryption (>95), hence the 71.  The ldapi:// SSF should really
>> be a configurable option.  I'll add that to our TODO list.
>
>No, that won't work. The minssf here is used to select eligible SASL
>mechanisms to offer to the client,

Right.  When ldapi:// is used, slapd(8) sets the transport
SSF to 71 so that mechanisms which can met the minssf
are available.

>and SASL/EXTERNAL always has an SSF of
>zero as far as the SASL library is concerned.

I was under the impression it was only offered when
the minssf was satisfied by the transport as SASL/EXTERNAL
doesn't itself improve the ssf.  Will have to read through
Cyrus SASL server.c again to figure out exactly...
I just saw this comment:
 * IF mech strength + external strength < min ssf THEN FAIL
I thought it was (and, IMO, should be):
 * If max(mech strength, external strength) < min ssf THEN FAIL.
(Continue reading)

Andrew Bartlett | 1 Jun 05:14 2004
Picon

Missing MS krb5 draft

This first draft of the Microsoft type 23 crypto stuff is missing from
Heimdal's documentation tree:

http://www.watersprings.org/pub/id/draft-brezak-win2k-krb-rc4-hmac-00.txt

Given how these tend to disappear from the web, can it be added to the
doco?  (That collection is also very useful, when looking at schannel -
an otherwise unrelated crypto system - which it appears is where the
type 23 stuff was copied from, inside MS).

Andrew Bartlett
--

-- 
Andrew Bartlett                                 abartlet <at> pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet <at> samba.org
Student Network Administrator, Hawker College   abartlet <at> hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
Love | 1 Jun 09:19 2004
Picon
Picon

Re: Missing MS krb5 draft


Andrew Bartlett <abartlet <at> samba.org> writes:

> This first draft of the Microsoft type 23 crypto stuff is missing from
> Heimdal's documentation tree:
>
> http://www.watersprings.org/pub/id/draft-brezak-win2k-krb-rc4-hmac-00.txt
>
> Given how these tend to disappear from the web, can it be added to the
> doco?  (That collection is also very useful, when looking at schannel -
> an otherwise unrelated crypto system - which it appears is where the
> type 23 stuff was copied from, inside MS).

Sure, btw in what document is schannel documented ?

Love

Andrew Bartlett | 1 Jun 09:47 2004
Picon

Re: Missing MS krb5 draft

On Tue, 2004-06-01 at 17:19, Love wrote:
> Andrew Bartlett <abartlet <at> samba.org> writes:
> 
> > This first draft of the Microsoft type 23 crypto stuff is missing from
> > Heimdal's documentation tree:
> >
> > http://www.watersprings.org/pub/id/draft-brezak-win2k-krb-rc4-hmac-00.txt
> >
> > Given how these tend to disappear from the web, can it be added to the
> > doco?  (That collection is also very useful, when looking at schannel -
> > an otherwise unrelated crypto system - which it appears is where the
> > type 23 stuff was copied from, inside MS).
> 
> Sure, btw in what document is schannel documented ?

Officially, none.  But those wise at this trade advise (correctly) that
if you squint in the right direction and look at what data you have, and
these specs, that the dots line up very nicely.   

Even the mutual agreement on a session key (not something that krb5
does) is 'documented' - they use the signature routines, just in a
slightly different way.

(for those not spending their entire days crawling up MS's network
protocols, schannel is a 'secure' communication system between domain
controllers and domain members, based on a shared secret, not entirely
unlike kerberos...)

Andrew Bartlett

(Continue reading)

Love | 2 Jun 16:28 2004
Picon
Picon

Re: Heimdal/OpenLDAP/Samba howto and bugreport


Tarjei Huse <tarjei <at> nu.no> writes:

> But for me one ldap-search-filter option is just as good if the
> suggested filter is the one suggested above.
>
> What about a default base for adding heimdalentries that is != the
> searchbase?

So I added code to do this. The option is [kdc]hdb-ldap-create-base. I've
not added a filter hdb-ldap-search-filter option, but modified the search
rule for samba entries to be searching for sambaSamAccount too.

I should document the search and creation rules that the hdb-ldap backend
is using.

Can you test the snapshot that will be generate tonight ?

Love

Henry B. Hotz | 2 Jun 23:34 2004
Picon
Picon

Fwd: kadmin commands, was: kas commands

Don't shoot the messenger.  I figure if I delay to check all my facts  
I'll never get to forwarding comments at all.

Love, did I misunderstand the significance of sl_command() vice  
sl_loop()?  I assumed from the name that sl_command() was used if the  
command was on the unix command line while sl_loop() had something to  
do with looping at a prompt.

Begin forwarded message:

> From: Peter Scott <Peter.J.Scott <at> jpl.nasa.gov>
> Date: June 2, 2004 2:03:47 PM PDT
> To: "Henry B. Hotz" <hotz <at> jpl.nasa.gov>
> Subject: Re: kadmin commands, was: kas commands
>
> At 12:20 PM 6/2/2004, you wrote:
>> I think what he's saying is that if you put the command on the kadmin
>> Unix command line instead of entering it at a prompt then you should
>> get the status back.  Is that consistent with what you are seeing?
>
> No, I am doing all my kadmin commands on the Unix command line.  The  
> status I am talking about is the exit status of kadmin ($?, $status).
>
>> I had assumed that you were doing things like "kadmin -p <> get <>".
>> If you are doing things like
>> kadmin -p <>
>> > get <>
>> > exit
>> then not getting a valid status back would make sense to me.
>>
(Continue reading)

Johan Danielsson | 3 Jun 08:20 2004
Picon
Picon

Re: Fwd: kadmin commands, was: kas commands


If you run a command directly from the command prompt you do indeed
get the return value from that function, it's just that it's always
zero (except for "quit"). This requires changes to how SL works, but I
think the current design is a bit useless, it's not unlikely that this
will happen. :-) I have more changes for kadmin/sl that I should take
time to commit, so I can have a look at this too.

/Johan

The Shell | 3 Jun 17:54 2004

SASL with Kerberos

Hi,

I just tested SASL 2.1.18, change the host and service name to be the 
same name during the testing of the sample client and server, it 
actually added the new principles to the kerberos cache (running Heimdal 
Kerberos 5, the latest version as I downloaded today).
The klist shown the following new principles had been added to the 
kerberos cache:

root <at> fbsd [7:26pm] [...cyrus-sasl-2.1.18/sample]# klist
Credentials cache: FILE:/tmp/krb5cc_0
      Principal: sam <at> ROCK.COM

Issued           Expires          Principal               Jun  3 
17:17:53  Jun  3 23:57:53  krbtgt/ROCK.COM <at> ROCK.COM  Jun  3 17:18:53  
Jun  3 23:57:53  host/fbsd.rock.com <at> ROCK.COM
Jun  3 18:46:25  Jun  3 23:57:53  root/fbsd.rock.com <at> ROCK.COM
Jun  3 19:15:24  Jun  3 23:57:53  sam/fbsd.rock.com <at> ROCK.COM

The last three Principals were added during the test of sample client 
and server in Cyrul-sasl 2.1.18.
But but the test still returned error such as:
lt-sample-client: SASL Other: GSSAPI Error:  A token was invalid 
(Unknown error: 0)
lt-sample-client: Performing SASL negotiation: generic failure

What should I do to fix this problem? I m afraid this will bring in 
other problem when I further configure OpenLdap.

Thanks
(Continue reading)

Michael Ströder | 4 Jun 17:33 2004

heimdal compatible with W2K3?

HI!

Is heimdal compatible with W2K3 Kerberos?

I have some problems with accessing Active Directory with GSSAPI SASL bind 
with the OpenLDAP tools (see my message to openldap-software <at> OpenLDAP.org 
below).

I've tested with heimdal-0.6-159 shipped with SuSE Linux 9.0 and 
self-compiled cyrus-sasl-2.1.18.

Should I try a newer heimdal release for W2K3 compability?

Any help is appreciated.

Ciao, Michael.

-------- Original Message --------
Subject: GSSAPI Error: Miscellaneous failure (see text) (Message stream 
modified)
Date: Tue, 20 Apr 2004 14:03:13 +0200
From: Michael Ströder <michael <at> stroeder.com>
To: openldap-software <at> OpenLDAP.org

HI!

I'd like to access a W2K3 Active Directory with OpenLDAP tools.

I obtained a ticket from that server:

(Continue reading)

Tarjei Huse | 4 Jun 17:41 2004
Picon

Re: Heimdal/OpenLDAP/Samba howto and bugreport

On Wed, 2004-06-02 at 16:28, Love wrote:
> Tarjei Huse <tarjei <at> nu.no> writes:
> 
> > But for me one ldap-search-filter option is just as good if the
> > suggested filter is the one suggested above.
> >
> > What about a default base for adding heimdalentries that is != the
> > searchbase?
> 
> So I added code to do this. The option is [kdc]hdb-ldap-create-base. I've
> not added a filter hdb-ldap-search-filter option, but modified the search
> rule for samba entries to be searching for sambaSamAccount too.
> 
> I should document the search and creation rules that the hdb-ldap backend
> is using.
> 
> Can you test the snapshot that will be generate tonight ?
Ok, I've tested the snapshot, and it doesn't work. I tried to debug
things, but I think that maybe Howard Chu is a better one on this
problem. Here's what I get in the ldaplog when I do kinit:

Jun  4 17:29:26 elprinsessekaja slapd[6730]: conn=2 fd=7 ACCEPT from
PATH= (PATH=/var/run/slapd/ldapi)
Jun  4 17:29:26 elprinsessekaja slapd[6734]: conn=2 op=0 BIND dn=""
method=163
Jun  4 17:29:26 elprinsessekaja slapd[6734]: SASL [conn=2] Error: unable
to open Berkeley db /etc/sasldb2: Permission denied
Jun  4 17:29:26 elprinsessekaja slapd[6734]: conn=2 op=0 BIND
authcid="uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth <at> MAIL2.BERGFALD.NO"
Jun  4 17:29:26 elprinsessekaja slapd[6734]: conn=2 op=0 BIND
(Continue reading)


Gmane