Problems with Heimdal, OpenLDAP, Cyrus SASL, GSSAPI, and Active Directory

Problems with Heimdal, OpenLDAP, Cyrus SASL, GSSAPI, and Active Directory

Post by Mike Hil » Thu, 04 Mar 2004 21:15:09



Hello,
     I'm not sure if this is the correct newsgroup for this question,
but I would appreciate any help in getting it where it needs to be.

     I'm running into an issue with binding to an Active Directory
server using SASL and GSSAPI.  I have followed the instructions on The
Hut on how to set up a Linux workstation to authenticate to an AD
server, but I keep getting the same error message:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous
 failure (see text) (Message stream modified)

I followed the instructions on
http://www.hut.fi/cc/docs/kerberos/nss_ldap.html, but they cover using
MIT Kerberos instead of using Heimdal Kerberos.

I am running SuSE 9.0 on the workstation, and using all of the
packages included with SuSE (which, other than Heimdal, exceeded the
minimum version number required).

The version numbers for the packages I'm using are:

Heimdal:                0.6-75    i586
OpenLDAP:               2.1.22-73 i586
cyrus-sasl:             2.1.15-65 i586
cyrus-sasl-gssapi:      2.1.15-65 i586
OpenSSL:                0.9.7b-74 i586
nss_ldap:               207-88    i586

Here is my /etc/ldap.conf
----------------------------------------------------------------

# Configuration for pam_ldap
#
# Modified for MS Active Directory

# Active directory servers
host    192.168.0.1

# Search base
base    DC=mydomain,DC=com

# LDAP version 3
ldap_version    3

# Configure the CA Certificate file
tls_cacert      /etc/ssl/certs/ca-bundle.crt

# Configure the CA Certificate directory
tls_cacertdir   /etc/ssl/certs

# Use SASL for all authentications
use_sasl        on

# SASL authorization ID

# Bind DN (this might not be needed at all?).
# This should the the DN of the account you made
# for your workstation.
binddn  CN=ldap,CN=Users,DC=mydomain,DC=com
bindpw  <secret>
# Search scope
scope   sub

# Break of the connection after one hour of idle time
idle_timelimit  3600

pam_filter      objectclass=user
pam_login_attribute     sAMAccountName
pam_password    ad

# Bases for the searches.  These should be the OU's
# you create the user accounts in.
nss_base_passwd cn=Users,dc=mydomain,dc=com
nss_base_shadow cn=Users,dc=mydomain,dc=com
nss_base_group  cn=Users,dc=mydomain,dc=com
nss_map_objectclass     posixGroup Group
nss_map_attribute       cn sAMAccountName

# SSL enabled
ssl             start_tls
------------------------------------------------------------------

And here is my /etc/krb5.conf
------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
MYDOMAIN.COM = {
        kdc = ad.mydomain.com:88
        admin_server = ad.mydomain.com:464

Quote:}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false

Quote:}

--------------------------------------------------------------

The only thing that isn't working is the SASL/GSSAPI authentication.
I am able to bind to and search the AD LDAP directory using simple
binding, but I keep getting the local config error whenever I try
using SASL/GSSAPI.

Using kinit, I am able to successfully obtain a Kerberos 5 ticket.  I
have also imported the keytab from the AD server (using ktpass on the
AD server), and doing at 'ktutil list', it shows the machine's
principal in the keytab.

For the life of me I can't figure out what is going on with this
issue.  I have not been able to find any information on this issue.
Any help will be GREATLY appreciated.

Thanks,
Mike Hilty