-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I work two weeks ago this Heimdal + OpenLDAP combo. Now Heimdal can connect to OpenLDAP backend. I turned off TLS encryption and everyone can write the LDAP tree (for testing purpose). After that init MY.REALM is working. BUT. For some reasons ssh login with GSSAPIAuth not working yet. I'm floating dead in the water too :-) 2014-10-30 10:46 keltezéssel, O. Hartmann írta: > On Thu, 30 Oct 2014 10:02:19 +0100 Lévai László > <laszlo.lev.levai_at_gmail.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> >> >> 2014-10-30 09:47 keltezéssel, O. Hartmann írta: >>> On Thu, 30 Oct 2014 09:35:49 +0100 Lévai László >>> <laszlo.lev.levai_at_gmail.com> wrote: >>> >>> Hi, try this: >>> >>> [1] kill all kerberos process [2] to start KDC: >>> /usr/local/libexec/kdc --detach [3] /usr/local/sbin/kadmin -l >>> kadmin> list -l * [...] >>> >>> Principal: krbtgt/... Principal expires: never Password >>> expires: never Last password change: never Max ticket life: >>> unlimited Max renewable life: unlimited Kvno: 1 Mkvno: unknown >>> Last successful login: never Last failed login: never Failed >>> login count: 0 Last modified: 2014-10-28 11:44:00 UTC Modifier: >>> unknown Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt), >>> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: >>> Aliases: >>> >>> Principal: kadmin/changepw_at_... Principal expires: never >>> Password expires: never Last password change: never Max ticket >>> life: 5 minutes Max renewable life: 5 minutes Kvno: 1 Mkvno: >>> unknown Last successful login: never Last failed login: never >>> Failed login count: 0 Last modified: 2014-10-28 11:44:00 UTC >>> Modifier: unknown Attributes: pwchange-service, >>> requires-pre-auth, disallow-proxiable, disallow-renewable, >>> disallow-tgt-based, disallow-postdated Keytypes: >>> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), >>> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: >>> >>> Principal: kadmin/admin_at_... Principal expires: never Password >>> expires: never Last password change: never Max ticket life: 1 >>> hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last >>> successful login: never Last failed login: never Failed login >>> count: 0 Last modified: 2014-10-28 11:44:00 UTC Modifier: >>> unknown Attributes: requires-pre-auth Keytypes: >>> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), >>> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: >>> >>> Principal: changepw/kerberos_at_... Principal expires: never >>> Password expires: never Last password change: never Max ticket >>> life: 1 hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown >>> Last successful login: never Last failed login: never Failed >>> login count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: >>> unknown Attributes: pwchange-service, disallow-tgt-based >>> Keytypes: aes256-cts-hmac-sha1-96(pw-salt), >>> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: >>> Aliases: >>> >>> Principal: kadmin/hprop_at_... Principal expires: never Password >>> expires: never Last password change: never Max ticket life: 1 >>> hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last >>> successful login: never Last failed login: never Failed login >>> count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: >>> unknown Attributes: requires-pre-auth, disallow-tgt-based >>> Keytypes: aes256-cts-hmac-sha1-96(pw-salt), >>> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: >>> Aliases: >>> >>> Principal: WELLKNOWN/ANONYMOUS_at_... Principal expires: never >>> Password expires: never Last password change: never Max ticket >>> life: 1 hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown >>> Last successful login: never Last failed login: never Failed >>> login count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: >>> unknown Attributes: requires-pre-auth Keytypes: >>> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), >>> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: >>> >>> Principal: default_at_... Principal expires: never Password >>> expires: never Last password change: never Max ticket life: 1 >>> day Max renewable life: 1 week Kvno: 1 Mkvno: unknown Last >>> successful login: never Last failed login: never Failed login >>> count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: >>> unknown Attributes: disallow-all-tix Keytypes: >>> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), >>> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: [...] >>> >>>> Hello. >>> >>>> This seems not to be the base system's Heimdal since you use >>>> /usr/local as prefix! >>> >> >> The base system's Heimdal with OpenLDAP backend not worked form >> me. So I installed the security/heimdal port and OpenLDAP24 >> server. >> >> root_at_lea:~ # /usr/local/libexec/slapd -VV _at_(#) $OpenLDAP: slapd >> 2.4.40 (Oct 17 2014 16:17:52) $ >> root_at_lea...:/usr/ports/net/openldap24-server/work/openldap-2.4.40/servers/slapd >> >> >> >> root_at_lea:~ # /usr/local/libexec/kdc --version >> kdc (Heimdal 1.5.2) Copyright 1995-2011 Kungliga Tekniska >> Högskolan Send bug-reports to heimdal-bugs_at_h5l.org >> >> >> root_at_lea:~ # /usr/local/libexec/kdc --builtin-hdb builtin hdb >> backends: ndbm:, keytab:, ldap:, ldapi:, sqlite: >> >> oterwise the system kdc: root_at_lea:~ # /usr/libexec/kdc >> --builtin-hdb builtin hdb backends: db:, mit-db:, ndbm:, keytab:, >> sqlite: >> >> >>>> What is your database/storage backend for your Heimdal >>>> installation? Is it OpenLDAP? >>> >>>> Tnak you very much in advance, >>> >>>> Oliver >>> >>> >>> >>> 2014-10-30 09:20 keltezéssel, O. Hartmann írta: >>>>>> On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 >>>>>> 07:52:22 CET 2014 amd64) a running >>>>>> net/openldap24-sasl-server system is installed and >>>>>> running and is now about to be the database backend for >>>>>> Kerberos/Heimdal. net/openldap24-sasl-server is at >>>>>> openldap-sasl-server-2.4.40. >>>>>> >>>>>> The database storage scheme of the LDAP backend is MDB, >>>>>> as it is highly recommended by the vendors of OpenLDAP. >>>>>> >>>>>> Searching for suitable manuals, I found some HowTos >>>>>> describing how to setup MIT Kerberos V with an OpenLDAP >>>>>> backend and I started following the instructions there. >>>>>> Despite the fact that http://www.h5l.org/manual is >>>>>> dead(!) and no usefull documentation or any kind of a >>>>>> hint where to find useful documentation for Heimdal can >>>>>> be found, many of the MIT Kerberos V setup instructions >>>>>> seem to be a dead end when using Heimdal on FreeBSD. Most >>>>>> of the links on that heimdal site ends up in ERROR 404! >>>>>> >>>>>> Well, I think my objective isn't that exotic in an more >>>>>> advanced server environment and I think since FreeBSD is >>>>>> supposed to be used in advanced server environments this >>>>>> task should be well known - but little >>>>>> information/documentation is available. >>>>>> >>>>>> Nevertheless, I use the base system's heimdal >>>>>> implementation and I run into a very frustrating error >>>>>> when trying to run "kamdin -l": >>>>>> >>>>>> kadmin: error trying to load dynamic module >>>>>> /usr/lib/hdb_ldap.so: Cannot open "/usr/lib/hdb_ldap.so" >>>>>> >>>>>> The setup for the stanza [kdc] is >>>>>> >>>>>> [...] [kdc] database = { >>>>>> dbname=ldap:ou=kerberos,dc=server,dc=gdr >>>>>> #hdb-ldap-structural-object = inetOrgPerson mkey_file >>>>>> = /var/heimdal/m-key acl_file = /var/heimdal/kadmind.acl >>>>>> } >>>>>> >>>>>> instructions taken from >>>>>> http://www.padl.com/Research/Heimdal.html. >>>>>> >>>>>> Well, it seems that FreeBSD ships with a crippled heimdal >>>>>> implementation. Where is /usr/lib/hdb_ldap.so? >>>>>> >>>>>> I'm toying around this issue for several days now and it >>>>>> gets more and more frustrating, also with the perspective >>>>>> of having no running samba 4.1 server for the windows >>>>>> domain. >>>>>> >>>>>> Can someone give me a hint where to find suitable >>>>>> FreeBSD docs for a task like this? I guess since FreeBSD >>>>>> is considered a server OS more than a desktop/toy OS, >>>>>> there must be a solution for this. FreeBSD ships with >>>>>> heimdal in the base, but it seems this heimdal is >>>>>> broken. >>>>>> >>>>>> P.S. Please CC me. >>>>>> _______________________________________________ >>>>>> freebsd-current_at_freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current >>>>>> To unsubscribe, send any mail to >>>>>> "freebsd-current-unsubscribe_at_freebsd.org" > [...] > > Yes, the base system is only a crippled version and I guess it is > due to the fact that OpenLDAP is also NOT part of the base and the > libraries/headers necessary to built the LDAP support in the base > systems's heimdal are missing. > > The lack of documentation is simply a mess. I excluded by intention > the port security/heimdal to proof whether FreeBSD is capable of > handling a common and very usual server task like the mentioned > scenario. > > I overcame this problem by installing the port security/heimdal, > but now I run into the next problem which is highly intransparent: > > kadmin> init MY.REALM kadmin: hdb_open: ldap_sasl_bind_s: > Confidentiality required > > My LDAP server expects TLS authentication. I would expect a LDAP > aware client to llok for the proper informations at > /usr/local/openldap/ldap.conf. Obviously, Heimdal doesn't. Is > there anything I've missed? Since I can not find any suitable > documentation (www.h5l.org/manual is dead!), I'm floating dead in > the water. > > I found several HowTo manuals, but the most sophistaceted referes > to MIT Kerberos 5 as mentioned earlier and can be found here: > > http://www.math.ucla.edu/~jimc/documents/ldap/kerberos-ldap-1202.html > > But this manual seems to be unapplicable to Heimdal. But without > docs it is hard to impossible (in a reasonable timeframe for > productive use) to figure that out. > > Anyway, if there is some hint, I would appreciate it. > > Thanks in advance, Oliver > - -- Tisztelettel: Lévai László -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlRSE+4ACgkQtgVHtSvpUlrgGgD/Rpalss9gc6ZfM/6x09fkhLLY 1jaCYirnMxgrWjmMS0kA/RFYN4q7MMMmYrzHDbKtIcKgODJiV5h5q6j4UMUdSysL =G/Nn -----END PGP SIGNATURE-----Received on Thu Oct 30 2014 - 09:33:23 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC