This will be a quick post about something that was biting my ass these last few days and what was the real cause. After you read it, you are welcome to laugh at my expense. Go ahead! I deserve it!
I was working in a kerberos/ldap (linux) server and needed to debug the connection to a given client. The ldap connection uses TLS, GnuTLS specifically since the two machines were ubuntu servers, which means we also had to worry about certs. And since kerberos is in the picture, we need to configure for that. To help in solving other issues, which I should comment about later (at least those were clever problems not like this one), I was running slapd in debug mode,
/usr/sbin/slapd -d 256 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d
and that did help solve the other issue I had. Some of you will notice I am also running ldaps (port 636), which I really do not need since TLS should take care of the encryption thingie. But, I digress for this post, so let's go back on topic. What I then noticed was some very problems with ldap. For instance, if I created a kerberos ticket and then tried to run ldapsearch, I would then get the following error:
root@services:~# export KRB5CCNAME=/tmp/host.tkt root@services:~# ldapsearch -vvv ldap_initialize() SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () root@services:~#
Here is what the server sees:
53261bde conn=1043 fd=19 ACCEPT from IP=192.168.1.181:44610 (IP=0.0.0.0:389) 53261bde conn=1043 op=0 EXT oid=1.3.6.1.4.1.1466.20037 53261bde conn=1043 op=0 STARTTLS 53261bde conn=1043 op=0 RESULT oid= err=0 text= 53261bde conn=1043 fd=19 TLS established tls_ssf=128 ssf=128 53261bde conn=1043 op=1 BIND dn="" method=163 53261bde SASL [conn=1043] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () 53261bde conn=1043 op=1 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () 53261bde conn=1043 op=2 UNBIND 53261bde conn=1043 fd=19 closed
Since I do not have many clever things to talk about and fill the space until the solution, how about if we talk about what some of those lines mean?
- IP=192.168.1.181:44610 (IP=0.0.0.0:389): Client 192.168.1.181 is connecting from its port 44610 to my port 389.
- oid=1.3.6.1.4.1.1466.20037: Start TLS extended request (per rfc2830).
- BIND dn="": anonymous if we are doing a SIMPLE bind. If we are however doing SASL bind, it is not used.
- tag=97: result from a client bind operation.
- oid=1.3.6.1.4.1.1466.20037: Start TLS extended request (per rfc2830).
As you noticed, at least from reading the title of this post, the error line is this generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () thingie. Here is where it annoyed me to no end: what minor code? It is supposed to put some kind of message between the parenthesis, like "No principal in keytab matches desired name" or "Ticket expired". Then I would be able to search online for something. Instead, zilch. I could not find a single entry where the minor code parenthesis thingie was empty. Not very helpful today are we?
Solution
So, what was wrong? Me. User error. Do you remember how I was running slapd? Do you also remember the part about kerberos? Well, in the /etc/default/slapd (that'll be /etc/sysconfig/ldap for you RedHat/CentOS/Fedora folks) I have defined
export KRB5_KTNAME=/etc/ldap/ldap.keytab
which means ldap knows then where the keytab containing the ldap service principal hides. Can you see where this is going? No? Let's look again at how I am running slapd, shall we?
/usr/sbin/slapd -d 256 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d
As you can see, I did not pass a KRB5_KTNAME to slapd. As soon as I fed that to slapd, all was once again well in the Land of Ooo.
No comments:
Post a Comment