I think I posted this on the wrong 'sister site', so here it is.
I'm having a bit of trouble getting Kerberos (Heimdal version) to work nicely with OpenLDAP. The kerberos database is being stored in LDAP itself. The KDC uses SASL EXTERNAL authentication as root to access the container ou.
I created the database in LDAP fine using kadmin -l, but it won't let me use kadmin without the -l flag:
root@rds0:~# kadmin -l
kadmin> list *
krbtgt/REALM
kadmin/changepw
kadmin/admin
changepw/kerberos
kadmin/hprop
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
default
brian.empson
brian.empson/admin
host/rds0.example.net
ldap/rds0.example.net
host/localhost
kadmin> exit
root@rds0:~# kadmin
kadmin> list *
brian.empson/admin@REALM's Password: <----- With right password
kadmin: kadm5_get_principals: Key table entry not found
kadmin> list *
brian.empson/admin@REALM's Password: <------ With wrong password
kadmin: kadm5_get_principals: Already tried ENC-TS-info, looping
kadmin>
I can get tickets without a problem:
root@rds0:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: brian.empson@REALM
Issued Expires Principal
Nov 11 14:14:40 2012 Nov 12 00:14:37 2012 krbtgt/REALM@REALM
Nov 11 14:40:35 2012 Nov 12 00:14:37 2012 ldap/rds0.example.net@REALM
But I can't seem to change my own password without kadmin -l:
root@rds0:~# kpasswd
brian.empson@REALM's Password: <---- Right password
New password:
Verify password - New password:
Auth error : Authentication failed
root@rds0:~# kpasswd
brian.empson@REALM's Password: <---- Wrong password
kpasswd: krb5_get_init_creds: Already tried ENC-TS-info, looping
kadmin's logs are not helpful at all:
2012-11-11T13:48:33 krb5_recvauth: Key table entry not found
2012-11-11T13:51:18 krb5_recvauth: Key table entry not found
2012-11-11T13:53:02 krb5_recvauth: Key table entry not found
2012-11-11T14:16:34 krb5_recvauth: Key table entry not found
2012-11-11T14:20:24 krb5_recvauth: Key table entry not found
2012-11-11T14:20:44 krb5_recvauth: Key table entry not found
2012-11-11T14:21:29 krb5_recvauth: Key table entry not found
2012-11-11T14:21:46 krb5_recvauth: Key table entry not found
2012-11-11T14:23:09 krb5_recvauth: Key table entry not found
2012-11-11T14:45:39 krb5_recvauth: Key table entry not found
The KDC reports that both accounts succeed in authenticating:
2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:48:03 sending 294 bytes to IPv4:192.168.72.10
2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 ENC-TS Pre-authentication succeeded -- brian.empson@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 ENC-TS pre-authentication succeeded -- brian.empson@REALM
2012-11-11T14:48:03 AS-REQ authtime: 2012-11-11T14:48:03 starttime: unset endtime: 2012-11-11T14:53:00 renew till: unset
2012-11-11T14:48:03 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 sending 704 bytes to IPv4:192.168.72.10
2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:45:39 sending 303 bytes to IPv4:192.168.72.10
2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 ENC-TS Pre-authentication succeeded -- brian.empson/admin@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 ENC-TS pre-authentication succeeded -- brian.empson/admin@REALM
2012-11-11T14:45:39 AS-REQ authtime: 2012-11-11T14:45:39 starttime: unset endtime: 2012-11-11T15:45:39 renew till: unset
2012-11-11T14:45:39 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 sending 717 bytes to IPv4:192.168.72.10
I wish I had more detailed logging messages, running kadmind in debug mode seems to almost work but it just kicks me back to the shell when I type in the correct password.
GSSAPI via LDAP doesn't work either, but I suspect it's because some parts of kerberos aren't working either:
root@rds0:~# ldapsearch -Y GSSAPI -H ldaps:/// -b "o=mybase" o=mybase
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()
root@rds0:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b "o=mybase" o=mybase
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
<snip>
Would anyone be able to point me in the right direction?