On 08/16/2016 10:51 PM, Alexander Bokovoy wrote: > On Tue, 16 Aug 2016, David Kowis wrote: >> On 08/15/2016 09:27 PM, David Kowis wrote: >>> On 08/15/2016 08:05 PM, Rob Crittenden wrote: >>>> David Kowis wrote: >>>>> On 08/15/2016 04:33 AM, Petr Spacek wrote: >>>>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing. >>>>>> >>>>>> In any case, you can check server logs or use tcpdump/wireshark and >>>>>> see if the >>>>>> error somes from LDAP server or if it is client side error. >>>>>> >>>>>> That would tell us where to focus.
I think I know what's going on, but not why it's going on: https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/1088822 This bug lead me to wonder where the directory server was finding it's GSSAPI modules. For some reason dirsrv is looking in /usr/lib/sasl2 for it's sasl modules, when they're actually installed in /usr/lib/i386-linux-gnu/sasl2 A symlink: ln -s /usr/lib/i386-linux-gnu/sasl2 /usr/lib/sasl2 and then suddenly: ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: ANONYMOUS Should I file a new bug with ubuntu? Did I find some weird i386 only bug that should've been fixed? Thanks, David Kowis PS: sorry if this is a repost, I sent it before, but it doesn't seem to be showing up on the list... >>>>>> >>>>> >>>>> Welp, I've got a pile of logs for you: >>>>> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 >>>>> >>>>> The last few lines are probably the relevant ones. >>>>> >>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl >>>>> version=3 mech=GSSAPI >>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 >>>>> nentries=0 etime=0 >>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND >>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 >>>>> >>>>> >>>>> Something tries to bind with no dn, and then fails.... I think? >>>> >>>> No this is typical logging for GSSAPI (minus the error). >>>> >>>> The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus >>>> SASL GSSAPI package installed? In Fedora the package is >>>> cyrus-sasl-gssapi. >>>> >> >> Still trying to figure stuff out: >> >> root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h >> localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms >> dn: >> SupportedSASLMechanisms: EXTERNAL >> >> >> Should I have more than just EXTERNAL when this happens? How do I debug >> more about what SASL authentication stuff should be there? I'm having a >> great deal of difficulty finding documentation for the 389 directory >> server's SASL configuration. *If* that's even the place I should be >> looking. How can I narrow this down more? > 389-ds does dynamically include all supported SASL mechanisms returned > by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms > were returned by your system SASL library. The attribute > SupportedSASLMechanisms you see in the rootdse query above is read-only: > it only shows which SASL mechanisms 389-ds knows about but you cannot > influence them via this attribute. You need to look at your CyrusSASL > library system configuration. > > What does 'pluginviewer' output show? Here is what Fedora 24 reports > when following packages are installed: > cyrus-sasl-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-md5-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-plain-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-gssapi-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64 > > # pluginviewer Installed and properly configured auxprop mechanisms are: > sasldb > List of auxprop plugins follows > Plugin "sasldb" , API version: 8 > supports store: yes > > Installed and properly configured SASL (server side) mechanisms are: > GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS > Available SASL (server side) mechanisms matching your criteria are: > GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS > List of server plugins follows > Plugin "gssapiv2" [loaded], API version: 4 > SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no > security flags: > NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH > features: > WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP > Plugin "gssapiv2" [loaded], API version: 4 > SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no > security flags: > NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH > features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD > Plugin "digestmd5" [loaded], API version: 4 > SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no > security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH > features: PROXY_AUTHENTICATION|SUPPORTS_HTTP > Plugin "crammd5" [loaded], API version: 4 > SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no > security flags: NO_ANONYMOUS|NO_PLAINTEXT > features: SERVER_FIRST > Plugin "login" [loaded], API version: 4 > SASL mechanism: LOGIN, best SSF: 0, supports setpass: no > security flags: NO_ANONYMOUS|PASS_CREDENTIALS > features: > Plugin "plain" [loaded], API version: 4 > SASL mechanism: PLAIN, best SSF: 0, supports setpass: no > security flags: NO_ANONYMOUS|PASS_CREDENTIALS > features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION > Plugin "anonymous" [loaded], API version: 4 > SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no > security flags: NO_PLAINTEXT > features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD > Installed and properly configured SASL (client side) mechanisms are: > GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS > Available SASL (client side) mechanisms matching your criteria are: > GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS > List of client plugins follows > Plugin "gssapiv2" [loaded], API version: 4 > SASL mechanism: GSS-SPNEGO, best SSF: 56 > security flags: > NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH > features: > WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP > Plugin "gssapiv2" [loaded], API version: 4 > SASL mechanism: GSSAPI, best SSF: 56 > security flags: > NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH > features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN > Plugin "digestmd5" [loaded], API version: 4 > SASL mechanism: DIGEST-MD5, best SSF: 128 > security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH > features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP > Plugin "EXTERNAL" [loaded], API version: 4 > SASL mechanism: EXTERNAL, best SSF: 0 > security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY > features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION > Plugin "crammd5" [loaded], API version: 4 > SASL mechanism: CRAM-MD5, best SSF: 0 > security flags: NO_ANONYMOUS|NO_PLAINTEXT > features: SERVER_FIRST > Plugin "login" [loaded], API version: 4 > SASL mechanism: LOGIN, best SSF: 0 > security flags: NO_ANONYMOUS|PASS_CREDENTIALS > features: SERVER_FIRST > Plugin "plain" [loaded], API version: 4 > SASL mechanism: PLAIN, best SSF: 0 > security flags: NO_ANONYMOUS|PASS_CREDENTIALS > features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION > Plugin "anonymous" [loaded], API version: 4 > SASL mechanism: ANONYMOUS, best SSF: 0 > security flags: NO_PLAINTEXT > features: WANT_CLIENT_FIRST >
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
