[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal/OpenLDAP/Samba howto and bugreport
On Thu, 2004-05-27 at 13:20, Love wrote:
> Tarjei Huse <tarjei@nu.no> writes:
>
> > Hi,
> > I tried setting up the latest heimdal snapshot today to test Bartlets
> > patches.
I'm replying here to keep things in the thread.
I have now managed to actually bind to my kDC and search my ldapserver
using a gssapi sasl bind.
Lots of thanks to Howard, Andrew and Love for helping me.
I've documented everything here:
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
I'll be moving this somewhere else (Love would you like to host this on
the heimdal site?) later, but for now you'll find it here.
If any of you can offer hosting for a few flat htmlfiles I would be very
happy.
Tarjei
> >
> > These are my experiences / bugreports / suggestions. This document is
> > also attached, and I ask that you include it in the snappshoits for now
> > as it might help others :-).
>
> I tried to made some minor changes to the "Using LDAP to store the
> database" node in the info tree from your "Basic procedure" part.
>
> > 4. touch the mkey file. If you're using the supplied conf file:
> > # touch /var/heimdal/mkey
>
> Is there a need for the mkey file ? It should be possible to run w/o it. If
> you get a failure, where do you get it ?
>
> > 6. Make sure the dn you're trying to authenticate as has the account
> > objectclass. I had to turn schemachecking off in slapd.conf and add
> > this objectclass to my user to get Heimdal working :(
>
> By setting the [kdc]hdb-ldap-structural-object it should be possible to use
> a diffrent structural object then account.
>
> Example: [kdc]hdb-ldap-structural-object=inetOrgPerson
>
> But it might be so that the place we check for (objectclass=account) today
> really should use hdb-ldap-structural-object.
>
> --- hdb-ldap.c 23 May 2004 21:34:46 -0000 1.27
> +++ hdb-ldap.c 27 May 2004 10:58:18 -0000
> @@ -806,8 +806,8 @@
> *msg = NULL;
>
> rc = asprintf(&filter,
> - "(&(objectclass=account)(uid=%s))",
> - userid);
> + "(&(objectclass=%s)(uid=%s))",
> + structural_object, userid);
> if (rc < 0) {
> krb5_set_error_string(context, "asprintf: out of memory");
> ret = ENOMEM;
>
>
> > 7. Do some tests, fx. kinit and se if you get in.
> >
> > Pitfalls/Troubleshootingtips:
> > The ldapcode in Heimdal likes to output errors that might not be simple
> > for the user to understand. I'll try to document them here for further
> > reference:
> > 1. invalid DN
> > You may get this when you run kadmin -l, init. In my case it meant that
> > the kdc-krb5.schema file was not set up in slapd.conf.
> >
> > Suggested solution: Search the openldapserver for the schemaentry and
> > emit a warning if you cannot find it. This is a nicer way to handle this
> > error.
>
> Is there a portable way to check what schemas are loaded (assuming ldap v3)
>
> "Invalid DN" you probably got from openldap somewhere, can you get the
> whole error message again ?
>
> > 2. Write access to parent denied.
> > You may get this when you run kadmin -l, init. In my case (yes, I'm
> > cut-and patsing now) this was because I was missing a / in the slapd
> > startupline, like this:
> > slapd -h ldap:/// ldapi:/// ldaps:///
> > ^ this was missing.
> >
> > 3.class 'krb5KDCEntry' requires attribute 'krb5KeyVersionNumber'
> > You may get this when you run kadmin -l, init. I'm not sure if this is
> > related to (2) or if it is a separate error. If it is a separate error,
> > you may get around it by setting
> > schemacheck off
> > in slapd.conf, but this is not the way to do it.
>
> I would guess that this fixes the problem.
>
> --- hdb-ldap.c 27 May 2004 10:58:54 -0000 1.28
> +++ hdb-ldap.c 27 May 2004 11:04:56 -0000
> @@ -469,7 +469,7 @@
> }
> }
>
> - if (is_heimdal_entry && ent->kvno != orig.kvno) {
> + if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) {
> rc = asprintf(&tmp, "%d", ent->kvno);
> if (rc < 0) {
> krb5_set_error_string(context, "asprintf: out of memory");
>
>
> >
> > Bugs:
> > - The code that searches for an account searches for
> > (&(objectclass=account)(uid=<username>)). This defeats some of the
> > purpose of using ldap, namely the option to be able to define and
> > structure your information in an quite arbitary way. In this case, a lot
> > of people (me included) use inetOrgPerson as the base objectclass
> > instead of account. Samba as such does not have any problems with this,
> > and neither should Heimdal. I therefore suggest that the user should be
> > able to set this in kdc.conf.
>
> See the patch above.
>
> > - kpasswdd segfaults when I try to change a password. I strace can be
> > supplied to the developers if you want it. Changing the password by just
> > modifying the sambaNTPassword works.
>
> A backtrace would be nice, make sure you don't have keydata or password in
> the backtrace.
>
> > - The manpage krb5.conf does not tell the user what possible values the
> > DATABASE directive may take. AFAIK this would help the reader:
> > DATABASE may take the following values:
> > file:/path/to/datafile
> > ldap:<basedn>
> > It should also be noted that you should set the value
> > hdb-ldap-structural-object when using ldap as the kdcdatabase.
> >
> > (formatted for inclusion in the manfile)
>
> I'm not sure I want to put that in krb5.conf, it should really be in the
> info-documentation instead.
>
> BTW, now its possible to list what hdb backends are buildin, and the ldap
> backend should be possible to build as a dynamic plugin.
>
> $ /obj/head-ldap/kdc/kdc --builtin-hdb
> builtin hdb backends: db:, ndbm:, ldap:
>
> > Connecting to OpenLDAP via krb [MOSTLY A BUGREPORT]
> > This document describes the procedure:
> > http://www.arslinux.com/viewcvs.cgi/*checkout*/ldap.ars/kerberos-notes.txt?rev=1.7
> >
> > However; I got a segfault instead when the server didn't find an entry
> > in the ldapdb.
> > add --random-key host/elprinsessekaja.mail2.bergfald.no
> > Max ticket life [1 day]:
> > Max renewable life [1 week]:
> > Principal expiration time [never]:
> > Password expiration time [never]:
> > Attributes []:
> > kadmin: kadm5_create_principal: Unknown error 36150281
> > kadmin: kadm5_randkey_principal: Principal does not exist
> > kadmin: adding host/elprinsessekaja.mail2.bergfald.no: Principal does
> > not exist
> > kadmin> add --random-Segmentation faultja.mail2.bergfald.no
>
> It shouldn't fail with Segmentation fault, whats the backtrace ?
>
> > A bit of searching in the ldaplogs gave me the answer:
> > ay 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 ADD
> > dn="krb5PrincipalName=host/elprinsessekaja.mail2.bergfald.no@NU.NO,o=nu,c=no"
> > May 25 18:31:21 elprinsessekaja slapd[31106]: conn=16 op=3 RESULT
> > tag=105 err=65 text=no structural object class provided
> >
> > Again, bit by the schemabug :-/. I modify my slapd.conf file to get the
> > show on the road again.
> >
> > Then , when I try
> > kadmin> ext host/elprinsessekaja.mail2.bergfald.no I get:
> > kadmin: krb5_kt_add_entry: End of credential cache reached
> >
> > it seems that the kdc tries to search the ldapdatabase with the
> > following as base:
> > gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> >>From the log:
> > May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH
> > base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" scope=2
> > filter="(objectClass=krb5Principal)"
> > May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 SRCH attr=cn
> > createTimestamp creatorsName krb5PrincipalName krb5PrincipalRealm
> > modifiersName modifyTimestamp objectClass uid
> > May 25 18:52:37 elprinsessekaja slapd[31188]: conn=55 op=3 RESULT
> > tag=101 err=32 text=
> >
> > OpenLDAP gives the errorcode 32, i.e. no such object.
>
> But this shouldn't be the error that. Its when the code tries to fill in
> the creator principal. The error is caused by something later.
>
> > [kdc]
> > database = {
> > dbname = ldap:o=nu,c=no
> > hdb-ldap-structural-object = sambaDomainName=NU-TEST,o=nu,c=no
>
> This is probably wrong, for you it should be.
>
> [kdc]hdb-ldap-structural-object=inetOrgPerson
>
> Love