headers
Pat Riehecky | 1 Mar 2007 19:00
Favicon

Heimdal/OpenLDAP init realm issue

I am on an Ubuntu 6.10 server (32 bit x86) I just downloaded the current
source for OpenLDAP (2.3.33) and Heimdal (0.7.2) and complied them both.
When I try to create my realm I get the following output

kadmin> init IWU.EDU
kadmin: hdb_open: ldap_sasl_bind_s: Authentication method not supported
kadmin> list *
kadmin: opening database: ldap_sasl_bind_s: Authentication method not
supported
kadmin: kadm5_get_principals: Wrong database version

my corresponding openldap logs say
Mar  1 11:42:40 comet slapd[6192]: daemon: activity on 1 descriptor 
Mar  1 11:42:40 comet slapd[6192]: daemon: activity on:
Mar  1 11:42:40 comet slapd[6192]:  
Mar  1 11:42:40 comet slapd[6192]: >>> slap_listener(ldapi:///) 
Mar  1 11:42:40 comet slapd[6192]: daemon: listen=9, new connection on
15 
Mar  1 11:42:40 comet slapd[6192]: daemon: added 15r (active)
listener=(nil) 
Mar  1 11:42:40 comet slapd[6192]: conn=3 fd=15 ACCEPT from
PATH=/usr/local/var/run/ldapi (PATH=/usr/local/var/run/ldapi) 
Mar  1 11:42:40 comet slapd[6192]: daemon: epoll: listen=7
active_threads=1 tvp=zero 
Mar  1 11:42:40 comet slapd[6192]: daemon: epoll: listen=8
active_threads=1 tvp=zero 
Mar  1 11:42:40 comet slapd[6192]: daemon: epoll: listen=9
active_threads=1 tvp=zero 
Mar  1 11:42:40 comet slapd[6192]: daemon: activity on 1 descriptor 
Mar  1 11:42:40 comet slapd[6192]: daemon: activity on:
(Continue reading)

Permalink | Reply | 1 comment |
headers
Hai Zaar | 1 Mar 2007 19:42
Picon

Re: Heimdal/OpenLDAP init realm issue

Hi!

On 3/1/07, Pat Riehecky <prieheck <at> iwu.edu> wrote:
>
> sasl-secprops minssf=0,noactive
>
Remove 'noactive' from there (i.e. comment out the whole line). AFAIR,
EXTERNAL authentication is available when 'noactive' is set. What did
you need it for in first place?

--

-- 
Zaar
Permalink | Reply | 0 comments |
headers
Dr A V Le Blanc | 8 Mar 2007 16:20
Picon
Picon

A problem with authentication

We have a very old AFS cell, installed with kaserver back in 1991,
and we later migrated to use heimdal instead of kaserver.  This was
working well with Debian sarge installations, which were our standard
setup until recently.  When we started upgrading some of our clients
to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're
seeing problems with some people getting failed login problems
repeatedly (in /var/log/auth.log we see 'Failed password for xxx').
If we change the pam library from libpam-heimdal to the MIT-based
libpam-krb5 (version 2.6-1), there are still some failures, but
not as many.

It's very difficult for me to tell whether this is a Debian
problem or a Heimdal problem or something else.  The Kerberos V
database is a heimdal-kdc (version 0.7.2.dfsg.1-10) into which
we imported our old kaserver database some years ago when we
got rid of the kaserver.

My suspicion is that the problem may be related to the default-keys
definition; in kdc.conf under [kadmin] I have:

     default_keys = v5 des3:pw-salt des:afs3-salt:[cell name]

The problem is, users in the data base have different salts depending
on when they were created or changed their passwords.  The oldest users
have:
     Keytypes: des-cbc-md5(afs3-salt([cell name])), des-cbc-md4(afs3-salt([cell name])),
des-cbc-crc(afs3-salt([cell name]))

some users from the middle have:
     Keytypes: des3-cbc-sha1(pw-salt), des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt)
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ken Hornstein | 8 Mar 2007 16:41
X-Face
Picon
Picon
Favicon

Re: A problem with authentication

>and I'm not sure why the difference exists, other than that the oldest
>haven't changed their passwords since before we moved to heimdal.

The short answer is that the plaintext password gets converted via a
one-way algorithm to the encryption key used by Kerberos.  So if you
have an afs3-salted key (one particular algorithm) there is no way to
convert that to a new key/salt type without knowing the original
password.

One thing that isn't clear to me: is the problem that various people
are having problems occasionally, or is it the _same_ people are having
the problem?  (In other words, does it fail for user X 100% of the time?)
The former doesn't sound like a keysalt problem, but the latter almost
certainly is.

It shouldn't be too bad to track down which sets of users are having
the problem.  Now, how to fix it?  Well, that depends if it's the oldest
or newest users that are having the problem.  In theory the newer Kerberos
code should work fine with the older enctypes, but it wouldn't surprise me
if you also went from using Kerberos 4 natively to Kerberos 5 (that's just
a guess).  One simple thing to do would be to start enforcing password
changes (which you know you should be doing anyway); that would ensure that
all users have the same set of enctypes.  If you didn't mind doing some
programming you could create a new libpam which took the user's plaintext
password and did a password change for the user.  This all supposes that
the problem is key/salt related.

--Ken
Permalink | Reply | 0 comments |
headers
Gustavo Rios | 12 Mar 2007 15:03
Picon

cannot change password

Dear gentleman,

i have just setted up my kerberos server. It is working ok except for
the matter i cannot change any password. I am trying to do it from a
local session (inside the kerberos server machine).

Here is what i get from the shell prompt:

$ passwd -K
sioux <at> SSO.NET's Password:
New password:
Verifying password - New password:
Reply from server: Bad request

On the kpasswdd logs i see the following:

2007-03-12T14:01:10 krb5_rd_priv: Incorrect net address

Does anybody have any ideia ?

Thanks in advance.
Permalink | Reply | 1 comment |
headers
Gustavo Rios | 12 Mar 2007 15:11
Picon

cannot log from windows XP

Dear gentlemen/madam,

after setting up my kerberos server i would like to log into windos XP
using it. In order to achieve such a feat i performed the following
configuration in my windows XP desktop:

ksetup /setdomain SSO.NET
ksetup /addkdc SSO.NET 10.0.0.1
ksetup /setmachpassword wxpA4esuopdV
ksetup /mapuser grios <at> SSO.NET grios

But when i try to log on i get the following windows XP error message:

"The system could not log you on because the domain SSO.NET is not available.

I cannot understand that, because i am able to login on from anyother
linux/openbsd/freebsd desktop.

Does anybody knows why is this happening ?

Thanks in advance.
Permalink | Reply | 1 comment |
headers
Gustavo Rios | 12 Mar 2007 15:16
Picon

strange log event by kdc

Dear gentleman,

after setting up my kerberos server everything is working ok, but
there are some strange log events everytime i try to get a ticket:

2007-03-12T14:14:58 AS-REQ sioux <at> SSO.NET from IPv4:10.0.0.1 for
krbtgt/SSO.NET <at> SSO.NET
2007-03-12T14:14:58 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2007-03-12T14:14:58 Requested flags: renewable
2007-03-12T14:14:58 sending 722 bytes to IPv4:10.0.0.1
2007-03-12T14:14:59 TGS-REQ sioux <at> SSO.NET from IPv4:10.0.0.1 for
afs/ualberta.ca <at> SSO.NET
2007-03-12T14:14:59 Server not found in database:
afs/ualberta.ca <at> SSO.NET: No such entry in the database
2007-03-12T14:14:59 sending 118 bytes to IPv4:10.0.0.1
2007-03-12T14:14:59 TGS-REQ sioux <at> SSO.NET from IPv4:10.0.0.1 for
krbtgt/UALBERTA.CA <at> SSO.NET
2007-03-12T14:14:59 Server not found in database:
krbtgt/UALBERTA.CA <at> SSO.NET: No such entry in the database
2007-03-12T14:14:59 sending 121 bytes to IPv4:10.0.0.1
2007-03-12T14:14:59 TGS-REQ sioux <at> SSO.NET from IPv4:10.0.0.1 for
krbtgt/UALBERTA.CA <at> SSO.NET
2007-03-12T14:14:59 Server not found in database:
krbtgt/UALBERTA.CA <at> SSO.NET: No such entry in the database
2007-03-12T14:14:59 sending 121 bytes to IPv4:10.0.0.1
2007-03-12T14:14:59 TGS-REQ sioux <at> SSO.NET from IPv4:10.0.0.1 for
krbtgt/UCS.UALBERTA.CA <at> SSO.NET
2007-03-12T14:14:59 Server not found in database:
krbtgt/UCS.UALBERTA.CA <at> SSO.NET: No such entry in the database
2007-03-12T14:14:59 sending 125 bytes to IPv4:10.0.0.1
(Continue reading)

Permalink | Reply | 1 comment |
headers
Dr A V Le Blanc | 12 Mar 2007 15:58
Picon
Picon

Re: A problem with authentication

I wrote:
> We have a very old AFS cell, installed with kaserver back in 1991,
> and we later migrated to use heimdal instead of kaserver.  This was
> working well with Debian sarge installations, which were our standard
> setup until recently.  When we started upgrading some of our clients
> to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're
> seeing problems with some people getting failed login problems
> repeatedly (in /var/log/auth.log we see 'Failed password for xxx').
> If we change the pam library from libpam-heimdal to the MIT-based
> libpam-krb5 (version 2.6-1), there are still some failures, but
> not as many.

Love Hörnquist Åstrand wrote:
> Is it any corresponding error in the KDC log ?

Interesting that you should ask this.  We are running Debian's
heimdal-kdc version 0.7.2.dfsg.1-10 on three servers, with the
slaves synchronised by iprop.  Recently we had a problem on the
slaves, in which the (binary) log file filled up /var, becoming
over 3gb in size.  The logs on the master server did not grow in
this way, but I do find a lot of errors there in the text log file.
First there are a _lot_ of errors of this type:

     Server not found in database: afs/cellname <at> REALMNAME: No such entry in the database

where I've replaced the reall cell and realm names.  There are 1480
of these errors in the last 24 hours.  There there are several hundred
thousand errors in this period of the form

     UNKNOWN -- user <at> REALMNAME: No such entry in the database
(Continue reading)

Permalink | Reply | 4 comments |
headers
Donald Norwood | 12 Mar 2007 16:40

Re: cannot log from windows XP

Are you able to ping the domain/KDC from the XP machine?

Gustavo Rios wrote:
> Dear gentlemen/madam,
>
> after setting up my kerberos server i would like to log into windos XP
> using it. In order to achieve such a feat i performed the following
> configuration in my windows XP desktop:
>
> ksetup /setdomain SSO.NET
> ksetup /addkdc SSO.NET 10.0.0.1
> ksetup /setmachpassword wxpA4esuopdV
> ksetup /mapuser grios <at> SSO.NET grios
>
> But when i try to log on i get the following windows XP error message:
>
> "The system could not log you on because the domain SSO.NET is not 
> available.
>
> I cannot understand that, because i am able to login on from anyother
> linux/openbsd/freebsd desktop.
>
> Does anybody knows why is this happening ?
>
> Thanks in advance.
>
>
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Björn Sandell | 12 Mar 2007 16:49
Picon
Picon

Re: strange log event by kdc

On Mon, 12 Mar 2007 11:16:16 -0300
"Gustavo Rios" <rios.gustavo <at> gmail.com> wrote:

> Dear gentleman,
> 
> after setting up my kerberos server everything is working ok, but
> there are some strange log events everytime i try to get a ticket:

> 2007-03-12T14:14:59 TGS-REQ sioux <at> SSO.NET from IPv4:10.0.0.1 for
> krbtgt/UCS.UALBERTA.CA <at> SSO.NET
> 
> Why does heimdal kdc try to obtain a krbtgt for other kdc realms than
> SSO.NET?

Well, the kdc doesn't try to obtain those tickets, it just explains
that it can't provide them. You client is trying to get the tickets as it
is configured as an afs client in the cell ualberta.ca

--

-- 
Björn Sandell               Chalmers University of Technology
IT Services       www.chalmers.se/its      +46 (0)31 772 1000
No one ever says, 'I can't read that ASCII E-mail you sent me.'
Permalink | Reply | 0 comments |

Gmane