kerberos authentication doesn't work agsint windows 2003 AD...

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

kerberos authentication doesn't work agsint windows 2003 AD...

Kent Wu
Hi guys,

I used to write a program to authenticate
users against windows 2000 AD by using MIT
Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
what I did is to authenticate users against AD by
using kerberos before doing LDAP search operations.
It was working perfectly until I wanted to migrate the
2000 AD to 2003 a wk ago.

While doing kerberos authentication against
AD 2003, the last step of ldap_sasl_bind_s() always
returns "invalid credentials" even though I've successfully
got TGT as well as the service ticket for LDAP (AD 2003). If
I type "klist" right before the last ldap_sasl_bind_s() step,
I can see the followings and it's looking look.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Default principal: KWU@DOMAIN

Valid starting     Expires            Service principal
08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN@DOMAIN
        renew until 08/30/05 18:09:59
08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN@DOMAIN
        renew until 08/30/05 18:09:59

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

However it still fails in the last ldap_sasl_bind_s() call.

My calling sequence is like this:

1. use Kerberos APIs to get/store TGT.
2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
(ldap_sasl_bind_s()) to engage kerberos authentication.
Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
requires a loop (a couple of handshaking steps) to complete
the whole authentication process. It was working all good until
the last ldap_sasl_bind_s() call....

I've looked high and low on the internet and tried variety of
configurations in both client and server side however ended up
nothing. It's so weird that it works fine with AD 2000 but not
2003....

Can anyone help me out by sharing his/her own experience or
pointing me to the right direction?

Thanks a lot in advance !

-Kent





________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication doesn't work agsint windows 2003 AD...

brian.joh
SASL and the GSS-API are not easy to use.  They seem
overly complicated to me, and the documentation is
confusing.  I could only get them working by looking
at sample code.  I first looked at some Samba code,
but decided not to go that route.  Openldap
distributes a sample LDAP program which demonstrates
SASL/GSSAPI using the ldap_sasl_interactive_bind_s()
call.  I based my code off of that, because it has the
added benefit of not requiring the user to know their
LDAP DN (pass the username as something like
"[hidden email]").

Also, after you have binded you will obviously
perform other LDAP requests such as searches.
Sometimes, AD refers (redirects) these requests to
other LDAP servers (or the same server with a
different principal name).  If this happens, you also
need to set a rebind procedure with
ldap_set_rebind_proc().  This rebind procedure is a
callback function you define to supposedly bind to
any "referred" servers.  However, while messing
around with it, I noticed if you make your
rebind_proc just return 1, it will use your initial
TGT to acquire the necessary tickets to perform the
bind (which it should have done in the first place).
Don't ask me why this works.  I just happened to try
it after many hours of frustration.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication doesn't work agsint windows 2003 AD...

Kent Wu
In reply to this post by Kent Wu
Hi guys,

        Thanks for all the inputs I've got so far. And
I've figured out the reason behind it. The reason is that
in the last ldap_sasl_bind_s() step, AD 2000 accepts the
DN format like "[hidden email]" however AD 2003 only
accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
Not sure why AD 2003 wants to change this criterion however
after I used the latter format it was working fine.

        The error message "Invalid credentials" was
referring to the wrong DN instead of bad password/key.
I was thinking in the total opposite direction before and
all of sudden I came across this "wrong DN" idea!

Cheers.

-Kent

On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:

> Hi guys,
>
> I used to write a program to authenticate
> users against windows 2000 AD by using MIT
> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
> what I did is to authenticate users against AD by
> using kerberos before doing LDAP search operations.
> It was working perfectly until I wanted to migrate the
> 2000 AD to 2003 a wk ago.
>
> While doing kerberos authentication against
> AD 2003, the last step of ldap_sasl_bind_s() always
> returns "invalid credentials" even though I've successfully
> got TGT as well as the service ticket for LDAP (AD 2003). If
> I type "klist" right before the last ldap_sasl_bind_s() step,
> I can see the followings and it's looking look.
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> Default principal: KWU@DOMAIN
>
> Valid starting     Expires            Service principal
> 08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN@DOMAIN
>         renew until 08/30/05 18:09:59
> 08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN@DOMAIN
>         renew until 08/30/05 18:09:59
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> However it still fails in the last ldap_sasl_bind_s() call.
>
> My calling sequence is like this:
>
> 1. use Kerberos APIs to get/store TGT.
> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
> (ldap_sasl_bind_s()) to engage kerberos authentication.
> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
> requires a loop (a couple of handshaking steps) to complete
> the whole authentication process. It was working all good until
> the last ldap_sasl_bind_s() call....
>
> I've looked high and low on the internet and tried variety of
> configurations in both client and server side however ended up
> nothing. It's so weird that it works fine with AD 2000 but not
> 2003....
>
> Can anyone help me out by sharing his/her own experience or
> pointing me to the right direction?
>
> Thanks a lot in advance !
>
> -Kent
>
>
>
>
>
--
Kent Wu <[hidden email]>
XSIGO INC.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication doesn't work agsint windows 2003 AD...

brian.joh
In reply to this post by Kent Wu
One last thing just popped in my head.  You might want to
run a packet sniffer (I use ethereal) while testing your
code.  Your situation sounds similar to one I encountered
a couple of months ago, and I have a hunch your code is
automatically rebinding to "referred" LDAP servers without
encrypting the username and password.  Obviously, that
would defeat the purpose of using SASL/GSSAPI.

In general, it's a good idea to run a packet sniffer when
testing/debugging any network application.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication doesn't work agsint windows 2003 AD...

Kent Wu
Thanks for the reminder and I'll give it a try then !

-Kent

On Wed, 2005-08-31 at 10:51 -0700, [hidden email] wrote:

> One last thing just popped in my head.  You might want to
> run a packet sniffer (I use ethereal) while testing your
> code.  Your situation sounds similar to one I encountered
> a couple of months ago, and I have a hunch your code is
> automatically rebinding to "referred" LDAP servers without
> encrypting the username and password.  Obviously, that
> would defeat the purpose of using SASL/GSSAPI.
>
> In general, it's a good idea to run a packet sniffer when
> testing/debugging any network application.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kerberos authentication doesn't work agsint windows 2003 AD...

swbell
In reply to this post by Kent Wu
in article [hidden email], Kent Wu at
[hidden email] wrote on 8/30/05 6:07 PM:

For the principal name format to work when binding, the user's Active
Directory record must have that string in the userPrincipalName attribute.
Some domains that got migrated from NT 4 don't have this info set.

> Hi guys,
>
> Thanks for all the inputs I've got so far. And
> I've figured out the reason behind it. The reason is that
> in the last ldap_sasl_bind_s() step, AD 2000 accepts the
> DN format like "[hidden email]" however AD 2003 only
> accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
> Not sure why AD 2003 wants to change this criterion however
> after I used the latter format it was working fine.
>
> The error message "Invalid credentials" was
> referring to the wrong DN instead of bad password/key.
> I was thinking in the total opposite direction before and
> all of sudden I came across this "wrong DN" idea!
>
> Cheers.
>
> -Kent
>
> On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:
>> Hi guys,
>>
>> I used to write a program to authenticate
>> users against windows 2000 AD by using MIT
>> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
>> what I did is to authenticate users against AD by
>> using kerberos before doing LDAP search operations.
>> It was working perfectly until I wanted to migrate the
>> 2000 AD to 2003 a wk ago.
>>
>> While doing kerberos authentication against
>> AD 2003, the last step of ldap_sasl_bind_s() always
>> returns "invalid credentials" even though I've successfully
>> got TGT as well as the service ticket for LDAP (AD 2003). If
>> I type "klist" right before the last ldap_sasl_bind_s() step,
>> I can see the followings and it's looking look.
>>
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>
>> Default principal: KWU@DOMAIN
>>
>> Valid starting     Expires            Service principal
>> 08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN@DOMAIN
>>         renew until 08/30/05 18:09:59
>> 08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN@DOMAIN
>>         renew until 08/30/05 18:09:59
>>
>> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>
>> However it still fails in the last ldap_sasl_bind_s() call.
>>
>> My calling sequence is like this:
>>
>> 1. use Kerberos APIs to get/store TGT.
>> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
>> (ldap_sasl_bind_s()) to engage kerberos authentication.
>> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
>> requires a loop (a couple of handshaking steps) to complete
>> the whole authentication process. It was working all good until
>> the last ldap_sasl_bind_s() call....
>>
>> I've looked high and low on the internet and tried variety of
>> configurations in both client and server side however ended up
>> nothing. It's so weird that it works fine with AD 2000 but not
>> 2003....
>>
>> Can anyone help me out by sharing his/her own experience or
>> pointing me to the right direction?
>>
>> Thanks a lot in advance !
>>
>> -Kent
>>
>>
>>
>>
>>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos