[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heimdal/OpenLDAP/Samba howto and bugreport



Hi, 
I tried setting up the latest heimdal snapshot today to test Bartlets
patches.

These are my experiences / bugreports / suggestions. This document is
also attached, and I ask that you include it in the snappshoits for now
as it might help others :-).

I hope to update it as things start to work.

PS: I also posted this via gnews, so you might get this post twice.

Cheers!
Tarjei


Basic procedure:

1. Compile the latest heimdal-snapshot :
./configure --prefix=/usr/local/heimdal --with-openldap=/usr
make
make install

2. Edit /etc/openldap/slapd.conf
- add
include         /etc/openldap/schema/krb5-kdc.schema
- comment out minssf lines like this one:
sasl-secprops minssf=128

As the external method used by heimdal does not have an ssf>0 (of
someone comes up with a suggested solution to this please give it too
me).

- modify the relevant acls by adding:
  by sockurl="^ldapi:///$" write

example:
access to dn="(.*,)?o=nu,c=no"
attr="userPassword,sambaLMPassword,sambaNTPassword"
  by dn="uid=samba,ou=services,o=nu,c=no" write
  by sockurl="^ldapi:///$" write
  by * auth

- Consider adding some indexes as well (TODO).

3. Modify the OpenLDAP startupscript and add ldapi:/// to the -h part.
In SuSE I edited the line:
SLAPD_URLS="ldap:/// ldapi:///"
                     ^^^^^^^^^ added this
in /etc/init.d/ldap.
For other distros: This is the equivalent of: slapd -h ldap:///
ldapi:/// ..

Rememeber to restart openldap.

4. touch the mkey file. If you're using the supplied conf file:
# touch /var/heimdal/mkey

5. Start the kdc and check for errors.

6. Make sure the dn you're trying to authenticate as has the account
objectclass.  I had to turn schemachecking off in slapd.conf and add
this objectclass to my user to get Heimdal working :(

7. Do some tests, fx. kinit and se if you get in.

Pitfalls/Troubleshootingtips:
The ldapcode in Heimdal likes to output errors that might not be simple
for the user to understand. I'll try to document them here for further
reference:
1. invalid DN
You may get this when you run kadmin -l, init. In my case it meant that
the kdc-krb5.schema file was not set up in slapd.conf.

Suggested solution: Search the openldapserver for the schemaentry and
emit a warning if you cannot find it. This is a nicer way to handle this
error.

2. Write access to parent denied.
You may get this when you run kadmin -l, init. In my case  (yes, I'm
cut-and patsing now) this was because I was missing a / in the slapd
startupline, like this:
slapd -h ldap:/// ldapi:/// ldaps:///
                          ^ this was missing.

3.class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'
You may get this when you run kadmin -l, init. I'm not sure if this is
related to (2) or if it is a separate error. If it is a separate error,
you may get around it by setting
schemacheck off
in slapd.conf, but this is not the way to do it.

Bugs:
- The code that searches for an account searches for
(&(objectclass=account)(uid=<username>)). This defeats some of the
purpose of using ldap, namely the option to be able to define and
structure your information in an quite arbitary way. In this case, a lot
of people (me included) use inetOrgPerson as the base objectclass
instead of account. Samba as such does not have any problems with this,
and neither should Heimdal. I therefore suggest that the user should be
able to set this in kdc.conf.

- kpasswdd segfaults when I try to change a password. I strace can be
supplied to the developers if you want it. Changing the password by just
modifying the sambaNTPassword works.

- The manpage krb5.conf does not tell the user what possible values the
DATABASE directive may take. AFAIK this would help the reader:
DATABASE may take the following values:
 file:/path/to/datafile
 ldap:<basedn>
It should also be noted that you should set the value 
hdb-ldap-structural-object when using ldap as the kdcdatabase.

(formatted for inclusion in the manfile)


Connecting to OpenLDAP via krb [MOSTLY A BUGREPORT]
This document describes the procedure:
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7

However; I got a segfault instead when the server didn't find an entry
in the ldapdb.
add --random-key host/elprinsessekaja.mail2.bergfald.no
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin: kadm5_create_principal: Unknown error 36150281
kadmin: kadm5_randkey_principal: Principal does not exist
kadmin: adding host/elprinsessekaja.mail2.bergfald.no: Principal does
not exist
kadmin> add --random-Segmentation faultja.mail2.bergfald.no

A bit of searching in the ldaplogs gave me the answer:
ay 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 ADD
dn="krb5PrincipalName=host/elprinsessekaja.mail2.bergfald.no@NU.NO,o=nu,c=no"
May 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 RESULT
tag=105 err=65 text=no structural object class provided

Again, bit by the schemabug :-/. I modify my slapd.conf file to get the
show on the road again.

Then , when I try
kadmin> ext host/elprinsessekaja.mail2.bergfald.no I get:
kadmin: krb5_kt_add_entry: End of credential cache reached

it seems that the kdc tries to search the ldapdatabase with the
following as base:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>From the log:
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH
base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" scope=2
filter="(objectClass=krb5Principal)"
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH attr=cn
createTimestamp creatorsName krb5PrincipalName krb5PrincipalRealm
modifiersName modifyTimestamp objectClass uid
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 RESULT
tag=101 err=32 text=

OpenLDAP gives the errorcode 32, i.e. no such object.



You also need to add the following to your slapd.conf's sasl section:
sasl-realm              NU.NO
sasl-host               elprinsessekaja.mail2.bergfald.no
sasl-authz-policy both
sasl-regexp
     uid=(.+),cn=NU.NO,cn=gssapi,cn=auth
     uid=$1,ou=People,o=nu,c=no



Links:
http://www.padl.com/Research/Heimdal.html
http://marc.theaimsgroup.com/?l=samba-technical&m=107748396331431&w=2
http://www.bayour.com/
http://www.openldap.org/doc/admin21/
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7


/var/heimdal/kdc.conf:

[libdefaults]
  default_realm = NU.NO
  clockskew = 300
  # Set this to false to disable MIT krb5 compatibility
  # in GSSAPI get_mic/verify_mic, and become compatible
  # with older Heimdal releases instead.
  gss_mit_compat = true

[realms]

NU.NO = {
    kdc = 127.0.0.1
    default_domain=nu.no
    admin_server = 127.0.0.1
  }

[domain_realm]
  .nu.no = NU.NO

[logging]
        default = SYSLOG:NOTICE:DAEMON
[kdc]
database = {
   dbname = ldap:o=nu,c=no
   hdb-ldap-structural-object = sambaDomainName=NU-TEST,o=nu,c=no
   mkey_file = /var/heimdal/mkey

}




Note: This is a document written in anger (not over Heimdal or Samba) after knode chrashed and deleted some 2 - 3 pages of howto on this subject.

However, I think the end result is good enough anyway.

I tried setting up the latestheimdal snapshot today to test Bartletts sambapatches.

These are my experiences / bugreports / suggestions. This document is also attached, and I ask that you include it in the snappshoits for now as it might help others :-).


Basic procedure:

1. Compile the latest heimdal-snapshot :
./configure --prefix=/usr/local/heimdal --with-openldap=/usr
make
make install

2. Edit /etc/openldap/slapd.conf
- add
include         /etc/openldap/schema/krb5-kdc.schema
- comment out minssf lines like this one:
sasl-secprops minssf=128

As the external method used by heimdal does not have an ssf>0 (of someone comes up with a suggested solution to this please give it too me).

- modify the relevant acls by adding:
  by sockurl="^ldapi:///$" write

example:
access to dn="(.*,)?o=nu,c=no" attr="userPassword,sambaLMPassword,sambaNTPassword"
  by dn="uid=samba,ou=services,o=nu,c=no" write
  by sockurl="^ldapi:///$" write
  by * auth

- Consider adding some indexes as well (TODO).

3. Modify the OpenLDAP startupscript and add ldapi:/// to the -h part.
In SuSE I edited the line:
SLAPD_URLS="ldap:/// ldapi:///"
                     ^^^^^^^^^ added this
in /etc/init.d/ldap.
For other distros: This is the equivalent of: slapd -h ldap:/// ldapi:/// ..

Rememeber to restart openldap.

4. touch the mkey file. If you're using the supplied conf file:
# touch /var/heimdal/mkey

5. Start the kdc and check for errors.

6. Make sure the dn you're trying to authenticate as has the account objectclass.  I had to turn schemachecking off in slapd.conf and add this objectclass to my user to get Heimdal working :(

7. Do some tests, fx. kinit and se if you get in.

Pitfalls/Troubleshootingtips:
The ldapcode in Heimdal likes to output errors that might not be simple for the user to understand. I'll try to document them here for further reference:
1. invalid DN
You may get this when you run kadmin -l, init. In my case it meant that the kdc-krb5.schema file was not set up in slapd.conf.

Suggested solution: Search the openldapserver for the schemaentry and emit a warning if you cannot find it. This is a nicer way to handle this error.

2. Write access to parent denied.
You may get this when you run kadmin -l, init. In my case  (yes, I'm cut-and patsing now) this was because I was missing a / in the slapd startupline, like this:
slapd -h ldap:/// ldapi:/// ldaps:///
                          ^ this was missing.

3.class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'
You may get this when you run kadmin -l, init. I'm not sure if this is related to (2) or if it is a separate error. If it is a separate error, you may get around it by setting
schemacheck off
in slapd.conf, but this is not the way to do it.

Bugs:
- The code that searches for an account searches for (&(objectclass=account)(uid=<username>)). This defeats some of the purpose of using ldap, namely the option to be able to define and structure your information in an quite arbitary way. In this case, a lot of people (me included) use inetOrgPerson as the base objectclass instead of account. Samba as such does not have any problems with this, and neither should Heimdal. I therefore suggest that the user should be able to set this in kdc.conf.

- kpasswdd segfaults when I try to change a password. I strace can be supplied to the developers if you want it. Changing the password by just modifying the sambaNTPassword works.

- The manpage krb5.conf does not tell the user what possible values the DATABASE directive may take. AFAIK this would help the reader:
DATABASE may take the following values:
 file:/path/to/datafile
 ldap:<basedn>
It should also be noted that you should set the value  hdb-ldap-structural-object when using ldap as the kdcdatabase.

(formatted for inclusion in the manfile)


Connecting to OpenLDAP via krb [MOSTLY A BUGREPORT]
This document describes the procedure:
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7

However; I got a segfault instead when the server didn't find an entry in the ldapdb.
add --random-key host/elprinsessekaja.mail2.bergfald.no
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin: kadm5_create_principal: Unknown error 36150281
kadmin: kadm5_randkey_principal: Principal does not exist
kadmin: adding host/elprinsessekaja.mail2.bergfald.no: Principal does not exist
kadmin> add --random-Segmentation faultja.mail2.bergfald.no

A bit of searching in the ldaplogs gave me the answer:
ay 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 ADD dn="krb5PrincipalName=host/elprinsessekaja.mail2.bergfald.no@NU.NO,o=nu,c=no"
May 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 RESULT tag=105 err=65 text=no structural object class provided

Again, bit by the schemabug :-/. I modify my slapd.conf file to get the show on the road again.

Then , when I try
kadmin> ext host/elprinsessekaja.mail2.bergfald.no I get:
kadmin: krb5_kt_add_entry: End of credential cache reached

it seems that the kdc tries to search the ldapdatabase with the following as base:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>From the log:
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" scope=2 filter="(objectClass=krb5Principal)"
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH attr=cn createTimestamp creatorsName krb5PrincipalName krb5PrincipalRealm modifiersName modifyTimestamp objectClass uid
May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 RESULT tag=101 err=32 text=

OpenLDAP gives the errorcode 32, i.e. no such object.



You also need to add the following to your slapd.conf's sasl section:
sasl-realm              NU.NO
sasl-host               elprinsessekaja.mail2.bergfald.no
sasl-authz-policy both
sasl-regexp
     uid=(.+),cn=NU.NO,cn=gssapi,cn=auth
     uid=$1,ou=People,o=nu,c=no



Links:
http://www.padl.com/Research/Heimdal.html
http://marc.theaimsgroup.com/?l=samba-technical&m=107748396331431&w=2
http://www.bayour.com/
http://www.openldap.org/doc/admin21/
http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7


/var/heimdal/kdc.conf:

[libdefaults]
  default_realm = NU.NO
  clockskew = 300
  # Set this to false to disable MIT krb5 compatibility
  # in GSSAPI get_mic/verify_mic, and become compatible
  # with older Heimdal releases instead.
  gss_mit_compat = true

[realms]

NU.NO = {
    kdc = 127.0.0.1
    default_domain=nu.no
    admin_server = 127.0.0.1
  }

[domain_realm]
  .nu.no = NU.NO

[logging]
        default = SYSLOG:NOTICE:DAEMON
[kdc]
database = {
   dbname = ldap:o=nu,c=no
   hdb-ldap-structural-object = sambaDomainName=NU-TEST,o=nu,c=no
   mkey_file = /var/heimdal/mkey

}