I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
However, I am encountering the following problem:

# kinit UnixAdmin
Password for ***@TEST1.GEORGEFOX.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal
07/09/02 15:56:53 07/10/02
01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
# ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
"dc=test1,dc=georgefox,dc=com" objectclass=user
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: UnixAdmin
ldap_sasl_interactive_bind_s: Local error (82)
#

Any ideas on solving the problem? So far, this is a real show-stopper...

Tony

Software used is:

openssl-0.9.6d
cyrus-sasl-1.5.27
MIT krb5-1.2.5
openldap-2.1.2


******************************************************************************
* Anthony Brock ***@georgefox.edu *
* Director of Network Services George Fox University *
****************************************************************************** Hi

On Tue, Jul 09, 2002 at 04:01:12PM -0700, Anthony Brock wrote:
> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
>
> # kinit UnixAdmin
> Password for ***@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ***@TEST1.GEORGEFOX.COM
>
> Valid starting Expires Service principal
> 07/09/02 15:56:53 07/10/02
> 01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
>

Try ldapsearch -x

Dumber
--
------------------------------------------------
Sure, I'm paranoid! But am I paranoid enough? ;)
Tomas Hornicek
Operation & Maintenance Administration
Orange Slovensko a.s.
***@orange.sk

- - - - - BEGIN GEEK CODE BLOCK - - - - -
Version: 3.12
http://www.geekcode.com
GCS/IT d- s+:+ a-- C++ UL++++$B++++S++++$ P- L+++
E--- W+++ N++ !o K- w O M- V- PS !PE Y PGP+++ !t
!5 X !R tv-- b+ DI D+ G e h* r- y+
- - - - - END GEEK CODE BLOCK - - - - - ***@dumber.sk wrote:
>
> Hi
>
> On Tue, Jul 09, 2002 at 04:01:12PM -0700, Anthony Brock wrote:
> > I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> > However, I am encountering the following problem:
> >
> > # kinit UnixAdmin
> > Password for ***@TEST1.GEORGEFOX.COM:
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ***@TEST1.GEORGEFOX.COM
> >
> > Valid starting Expires Service principal
> > 07/09/02 15:56:53 07/10/02
> > 01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
> > # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> > "dc=test1,dc=georgefox,dc=com" objectclass=user
> > SASL/GSSAPI authentication started
> > SASL Interaction
> > Please enter your authorization name: UnixAdmin
> > ldap_sasl_interactive_bind_s: Local error (82)
> > #
> >
>
> Try ldapsearch -x

By default Active Directory doesn't allow much access to
non-authenticated LDAP connections.

al
--

Al Lilianstrom
CD/OSS/CSI
***@fnal.gov Anthony Brock wrote:
>
> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
>
> # kinit UnixAdmin
> Password for ***@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ***@TEST1.GEORGEFOX.COM
>
> Valid starting Expires Service principal
> 07/09/02 15:56:53 07/10/02
> 01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
>
> Any ideas on solving the problem? So far, this is a real show-stopper...
>

Setup a trust between the MIT realm and the w2k domain. Then when you
kinit on the MIT side you will be able to search the w2k side as you
will bind as anonymous.

If you need write access create an account on the w2k side with the
necessary access and then add a kerberos mapping from your MIT principal
to the windows user. You will then be able to use ldapsearch to find
whatever you want and ldapmodify to change what you have access to.

al

--

Al Lilianstrom
CD/OSS/CSI
***@fnal.gov I believe I'm trying to do the same thing you are, only I'm using OpenLDAP 2.0.21 -- and still getting the same error. I don't have an MIT Kerberos realm, I'm trying to use the Win2k realm. Is that what you're attempting to do? Does OpenLDAP only work with Kerberos if both the KDC and the LDAP server exist on the same physical machine?
Thanks,
Jason

-----Original Message-----
From: Al Lilianstrom [mailto:***@fnal.gov]
Sent: Wednesday, July 10, 2002 7:42 AM
To: Anthony Brock
Cc: openldap-***@OpenLDAP.org
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2


Anthony Brock wrote:
>
> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
>
> # kinit UnixAdmin
> Password for ***@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ***@TEST1.GEORGEFOX.COM
>
> Valid starting Expires Service principal
> 07/09/02 15:56:53 07/10/02
> 01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
>
> Any ideas on solving the problem? So far, this is a real show-stopper...
>

Setup a trust between the MIT realm and the w2k domain. Then when you
kinit on the MIT side you will be able to search the w2k side as you
will bind as anonymous.

If you need write access create an account on the w2k side with the
necessary access and then add a kerberos mapping from your MIT principal
to the windows user. You will then be able to use ldapsearch to find
whatever you want and ldapmodify to change what you have access to.

al

--

Al Lilianstrom
CD/OSS/CSI
***@fnal.gov Today at 9:03am, Jason Corley wrote:

> you're attempting to do? Does OpenLDAP only work with Kerberos if
> both the KDC and the LDAP server exist on the same physical machine?

There is no requirement for the KDC and the LDAP server to be on the
same machine.

I am running fine (openldap 2.0.23, RedHat Linux 7.3, MIT Kerberos) and
my KDC is a DCE 3.1 Security Server several machines away....

--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All === The -x option is incompatible with Kerberos authentication. So, when
attempted, I see the following:

# ldapsearch -x -I -H ldap://exsrv.test1.georgefox.com/ -b
"dc=test1,dc=georgefox,dc=com" objectclass=user
ldapsearch: incompatible previous authentication choice
#

Tony

At 12:02 AM 7/10/2002 -0700, ***@dumber.sk wrote:
>On Tue, Jul 09, 2002 at 04:01:12PM -0700, Anthony Brock wrote:
> >> I am attempting to bind against a Windows 2K server using OpenLDAP
> >2.1.2.
> >> However, I am encountering the following problem:
> >>
> >> # kinit UnixAdmin
> >> Password for ***@TEST1.GEORGEFOX.COM:
> >> # klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: ***@TEST1.GEORGEFOX.COM
> >>
> >> Valid starting Expires Service principal
> >> 07/09/02 15:56:53 07/10/02
> >> 01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
> >> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> >> "dc=test1,dc=georgefox,dc=com" objectclass=user
> >> SASL/GSSAPI authentication started
> >> SASL Interaction
> >> Please enter your authorization name: UnixAdmin
> >> ldap_sasl_interactive_bind_s: Local error (82)
> >> #
> >>
>
>Try ldapsearch -x

******************************************************************************
* Anthony Brock ***@georgefox.edu *
* Director of Network Services George Fox University *
****************************************************************************** Today at 7:26am, Anthony Brock wrote:

> The -x option is incompatible with Kerberos authentication. So, when
> attempted, I see the following:
>
> # ldapsearch -x -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> ldapsearch: incompatible previous authentication choice
> #

Be clear... you have asked for (-x) "Use simple authentication instead
of SASL" and (-I) "Enable SASL Interactive mode." --- of course they're
incompatible.... But it has nothing to do with Kerberos at all.

Why are you trying to use GSSAPI (in your original post) and simple
binding now and always requesting Interactive SASL??? Try it without
the -I.

I think you should also read the ldapsearch manpage and the howto at
http://www.bayour.com/LDAPv3-HOWTO.html -- just my !HO.

--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All === Al,

At this time, I am not attempting to use an MIT realm. Would it be advised
to implement the MIT realm, and pursue this option? Or is there a way to
directly authenticate against the W2K? Or, are both possible/workable?

If both are workable, what are the relative advantages/disadvantages of
each? I originally thought this was a straight forward project. Suddenly,
it's starting to edge towards new territory (multiple realms and trust
relationships). I would greatly appreciate any advise!

Tony

At 04:41 AM 7/10/2002 -0700, ***@fnal.gov wrote:
>Setup a trust between the MIT realm and the w2k domain. Then when you
>kinit on the MIT side you will be able to search the w2k side as you
>will bind as anonymous.
>
>If you need write access create an account on the w2k side with the
>necessary access and then add a kerberos mapping from your MIT principal
>to the windows user. You will then be able to use ldapsearch to find
>whatever you want and ldapmodify to change what you have access to.
>
> al
>
>--
>
>Al Lilianstrom
>CD/OSS/CSI
>***@fnal.gov

******************************************************************************
* Anthony Brock ***@georgefox.edu *
* Director of Network Services George Fox University *
****************************************************************************** Anthony Brock wrote:
>
> Al,
>
> At this time, I am not attempting to use an MIT realm. Would it be advised
> to implement the MIT realm, and pursue this option? Or is there a way to
> directly authenticate against the W2K? Or, are both possible/workable?
>
> If both are workable, what are the relative advantages/disadvantages of
> each? I originally thought this was a straight forward project. Suddenly,
> it's starting to edge towards new territory (multiple realms and trust
> relationships). I would greatly appreciate any advise!
>

Ok. Earlier you wrote

> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
>
> # kinit UnixAdmin
> Password for ***@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ***@TEST1.GEORGEFOX.COM
>
> Valid starting Expires Service principal
> 07/09/02 15:56:53 07/10/02
> 01:56:53 krbtgt/***@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
>
> Any ideas on solving the problem? So far, this is a real show-stopper...

so you are doing the kinit against the w2k domain from a Unix system?

Try the ldapsearch like this

# ldapsearch -h exsrv.test1.georgefox.com -b
"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn

With a ticket from the w2k side you should not need to do the
interactive login.

# klist -f
Ticket cache: /tmp/krb5cc_p31967
Default principal: ***@FERMI

Valid starting Expires Service principal
07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/***@FERMI
Flags: FIA

# ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
dn: CN=lilstrom,DC=fermi

# klist -f
Ticket cache: /tmp/krb5cc_p31967
Default principal: ***@FERMI

Valid starting Expires Service principal
07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/***@FERMI
Flags: FIA
07/10/02 10:13:47 07/10/02 20:13:43 ldap/***@FERMI
Flags: FA

al

--

Al Lilianstrom
CD/OSS/CSI
***@fnal.gov Jason Corley wrote:
>
> I believe I'm trying to do the same thing you are, only I'm using OpenLDAP 2.0.21 -- and still getting the same error. I don't have an MIT Kerberos realm, I'm trying to use the Win2k realm. Is that what you're attempting to do? Does OpenLDAP only work with Kerberos if both the KDC and the LDAP server exist on the same physical machine?
> Thanks,
> Jason

No. I have OpenLDAP on a variety of Unix machines in a MIT realm and can
talk to AD just fine with Kerberos authentication.

If you want to go between the two realms you need a trust between the
MIT realm and the w2k domain.

al

--

Al Lilianstrom
CD/OSS/CSI
***@fnal.gov At 08:55 AM 7/10/2002 -0700, ***@uvm.edu wrote:
>Be clear... you have asked for (-x) "Use simple authentication instead
>of SASL" and (-I) "Enable SASL Interactive mode." --- of course they're
>incompatible.... But it has nothing to do with Kerberos at all.

To be clear, I realize the problem with using both flags. The individual I
was responding to offered a suggestion, and I was attempting to respond in
a polite and appreciative manner. I am always happy to see responses to my
questions, even when I know that the suggested solution will not work.

>Why are you trying to use GSSAPI (in your original post) and simple
>binding now and always requesting Interactive SASL??? Try it without
>the -I.
>
>I think you should also read the ldapsearch manpage and the howto at
>http://www.bayour.com/LDAPv3-HOWTO.html -- just my !HO.

I have. I spent several months pouring over this guide, the manpages and
the mailing list archives earlier this spring for another project. In fact,
the commands I originally posted with were developed from this guide... I
posted my message after spending 5 hours browsing and searching the mailing
list archive for this specific problem. Unfortunately, any search for
"sasl;Local;error" results in an enormous amount of messages... several of
which I posted earlier this spring.

Thank you to the pointer to the HOWTO. It never hurts to have it mentioned
in the archives!

Tony


******************************************************************************
* Anthony Brock ***@georgefox.edu *
* Director of Network Services George Fox University *
****************************************************************************** At 08:16 AM 7/10/2002 -0700, ***@fnal.gov wrote:
>so you are doing the kinit against the w2k domain from a Unix system?

Yes. The kinit is successfully (I believe) recieving the ticket from the
W2K system. If I start from scratch, I see a success message on the W2K
server and for the following:

# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
# kinit UnixAdmin
Password for ***@TEST1.GEORGEFOX.COM:
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal
07/10/02 09:37:30 07/10/02
19:37:30 krbtgt/***@TEST1.GEORGEFOX.COM
Flags: IA
#

>Try the ldapsearch like this
>
># ldapsearch -h exsrv.test1.georgefox.com -b
>"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn

# ldapsearch -h exsrv.test1.georgefox.com -b "dc=test1,dc=georgefox,dc=com"
-p subtree name=unixadmin dn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal
07/10/02 09:37:30 07/10/02
19:37:30 krbtgt/***@TEST1.GEORGEFOX.COM
Flags: IA
#

>With a ticket from the w2k side you should not need to do the
>interactive login.

This is makes sense. I was becoming paranoid that I might have a problem
since my login UID is root and not UnixAdmin. I was attempting to be
explicit and eliminate any potential conflict there...

I noticed that your command is displaying "SASL SSF: 56" before "installing
layers". Is this of importance? Do I need to do anything unique to the W2K
server to make this work?

Thanks!

Tony

># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: ***@FERMI
>
>Valid starting Expires Service principal
>07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/***@FERMI
> Flags: FIA
>
># ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
>SASL/GSSAPI authentication started
>SASL SSF: 56
>SASL installing layers
>dn: CN=lilstrom,DC=fermi
>
># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: ***@FERMI
>
>Valid starting Expires Service principal
>07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/***@FERMI
> Flags: FIA
>07/10/02 10:13:47 07/10/02 20:13:43 ldap/***@FERMI
> Flags: FA
>
> al
>
>--
>
>Al Lilianstrom
>CD/OSS/CSI
>***@fnal.gov

******************************************************************************
* Anthony Brock ***@georgefox.edu *
* Director of Network Services George Fox University *
****************************************************************************** I found this link and thought it might be of some use (it certainly has proven valuable to me): http://www.ofb.net/~jheiss/krbldap/howto.html

Since I'm trying something similar I have some questions to tack on to this. The part about not needing interactive SASL makes sense if you've done kinit, but if I didn't run kinit first what is the proper syntax for something like ldapsearch? For example, if I do:
kinit ***@EXAMPLE.COM
<enter my password when prompted>
ldapsearch -ZZ -LLL -H ldap://my.ldap.server/ "(objecClass=posixAccount)"
This works fine. But shouldn't I be able to combine those steps into one ldapsearch command using interactive SASL? I must have the syntax all wrong.

Secondly, I must have either the system authentication or something else not set up properly, because the krb5PrincipleName attribute doesn't seem to work. If the ldap user I set up doesn't have the same UID in kerberos, it doesn't work no matter how I try to map the krb5PrincipleName. When I attempted to map a new LDAP user to an existing Kerberos user the error I got in /var/log/messages was:
pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378)
pam_krb5: authentication fails for `testuser'
pam_ldap: error trying to bind as user "uid=testuser,ou=people,c=us,dc=togethersoft,dc=net" (Inappropriate authentication)
FAILED LOGIN 1 FROM (null) FOR testuser, Authentication failure
Thanks,
Jason

-----Original Message-----
From: Anthony Brock [mailto:***@georgefox.edu]
Sent: Wednesday, July 10, 2002 12:46 PM
To: Al Lilianstrom; openldap-***@OpenLDAP.org
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2


At 08:16 AM 7/10/2002 -0700, ***@fnal.gov wrote:
>so you are doing the kinit against the w2k domain from a Unix system?

Yes. The kinit is successfully (I believe) recieving the ticket from the
W2K system. If I start from scratch, I see a success message on the W2K
server and for the following:

# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
# kinit UnixAdmin
Password for ***@TEST1.GEORGEFOX.COM:
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal
07/10/02 09:37:30 07/10/02
19:37:30 krbtgt/***@TEST1.GEORGEFOX.COM
Flags: IA
#

>Try the ldapsearch like this
>
># ldapsearch -h exsrv.test1.georgefox.com -b
>"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn

# ldapsearch -h exsrv.test1.georgefox.com -b "dc=test1,dc=georgefox,dc=com"
-p subtree name=unixadmin dn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal
07/10/02 09:37:30 07/10/02
19:37:30 krbtgt/***@TEST1.GEORGEFOX.COM
Flags: IA
#

>With a ticket from the w2k side you should not need to do the
>interactive login.

This is makes sense. I was becoming paranoid that I might have a problem
since my login UID is root and not UnixAdmin. I was attempting to be
explicit and eliminate any potential conflict there...

I noticed that your command is displaying "SASL SSF: 56" before "installing
layers". Is this of importance? Do I need to do anything unique to the W2K
server to make this work?

Thanks!

Tony

># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: ***@FERMI
>
>Valid starting Expires Service principal
>07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/***@FERMI
> Flags: FIA
>
># ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
>SASL/GSSAPI authentication started
>SASL SSF: 56
>SASL installing layers
>dn: CN=lilstrom,DC=fermi
>
># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: ***@FERMI
>
>Valid starting Expires Service principal
>07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/***@FERMI
> Flags: FIA
>07/10/02 10:13:47 07/10/02 20:13:43 ldap/***@FERMI
> Flags: FA
>
> al
>
>--
>
>Al Lilianstrom
>CD/OSS/CSI
>***@fnal.gov

******************************************************************************
* Anthony Brock ***@georgefox.edu *
* Director of Network Services George Fox University *
******************************************************************************