Re: Help with SASL/GSSAPI to remote Kerberos server

Tue, 19 Feb 2008 16:44:35 -0800 

Wes Modes wrote:
To clarify. 
To separate and modularize some of these services, we have three
servers:  A file server running Samba;  A directory server running
OpenLDAP to provide personal and group identities; and an authentication
server running Kerberos (administered by another group).  Samba connects
to OpenLDAP through smbldap-tools.  And OpenLDAP connects to the
Kerberos server via SASL/GSSAPI.



smbldap-tools contacts the KDC (Kerberos server) and obtains a service 
ticket for the
OpenLDAP server.   In order for this to be possible there must be a 
service principal
in the KDC database for the OpenLDAP service and a keytab containing the 
matching

key(s) must be installed on the OpenLDAP server.



When someone requests a Samba logon, Samba requests an LDAP bind, which
in turn should use SASL to authenticate via Kerberos.

The service ticket for the OpenLDAP server is used to authenticate the 
connection between

Samba and OpenLDAP.


The connection between Samba  and OpenLDAP is working swell.  It is the

Kerberos connection that has me flummoxed. 

For what purpose is the OpenLDAP server communicating with the KDC?


Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on
one server, while the Kerberos KDC will be running on another server.  I
haven't found any documents that address this not-so-wacky design.


So when a document says, run kadmin.local, 

kadmin.local is a version of the kadmin tool that works only on the 
local system.

If you are not on the local system you use the 'kadmin' tool.

to generate a principle, that
is not available to me.  If I can ask specifically for what I want, I
might be able to convince the kerberos administrators to do it for me,
but I have to be pretty specific about what I want.

You have to explain what you want in this forum as well, otherwise you 
won't get

very many useful answers.


The docs I'm referring to are

Cyrus SASL for System Administrators
http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
<http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html>

 
OpenLDAP 2.2 Administrator's Guide - Using SASL

http://www.openldap.org/doc/admin22/guide.html#Using%20SASL


Thank you for the OpenLDAP config suggestions.  Those are more or less

consistent with what I read. 


However, in several documents, it was suggested that before you try
connecting OpenLDAP to Kerberos that you test to make sure your Kerberos

configuration is working.  

Again the question is connecting OpenLDAP to Kerberos for what purpose?


The KDC is not under your control so you do not have the ability to 
create new

principals or alter the configurations of the existing ones.

Are you really expecting the OpenLDAP server to establish a network channel
with the KDC?   What messages are you expecting to have sent?

Or are you simply confused about the concept of a service principal and the
associated key?



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos






















					Reply via email to