krb5_verify_user_opt failed

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5_verify_user_opt failed

German Shorthair
I'm trying to get sasl to authenticate users.  I've got my kerberos
realm setup, and have a user added.  I can do kinit and get a ticket
for the user.

I can use testsaslauthd to authenticate fine with saslauthd running as:

/usr/local/sbin/saslauthd -a shadow

So, I restarted saslauthd with:

/usr/local/sbin/saslauthd -a kerberos5

ran testsaslauthd like:

./testsaslauthd -u jdoe -p somepass -r someschool.edu

The result is:

0: NO "authentication failed"

and I get the following error in syslog:

Sep  1 18:19:43 ldap-1 saslauthd[8633]: do_auth         : auth
failure: [user=jdoe] [service=imap] [realm=someschool.edu]
[mech=kerberos5] [reason=krb5_verify_user_opt failed]

Has anyone ran into this issue?

I'm using:

Fedore Core 4
cyrus-sasl-2.1.22
db-4.3.28.NC
heimdal-0.7
openldap-2.2.26
openssl-0.9.8

An output of ktutil is:

[root@ldap-1 saslauthd]# /usr/heimdal/sbin/ktutil list
FILE:/etc/krb5.keytab:

Vno  Type                     Principal
 1  des-cbc-md5              ldap/[hidden email]
 1  des-cbc-md4              ldap/[hidden email]
 1  des-cbc-crc              ldap/[hidden email]
 1  aes256-cts-hmac-sha1-96  ldap/[hidden email]
 1  des3-cbc-sha1            ldap/[hidden email]
 1  arcfour-hmac-md5         ldap/[hidden email]
 1  des-cbc-md5              host/[hidden email]
 1  des-cbc-md4              host/[hidden email]
 1  des-cbc-crc              host/[hidden email]
 1  aes256-cts-hmac-sha1-96  host/[hidden email]
 1  des3-cbc-sha1            host/[hidden email]
 1  arcfour-hmac-md5         host/[hidden email]

krb4:/etc/srvtab:

Vno  Type         Principal
 1  des-cbc-md5  ldap/[hidden email]
 1  des-cbc-md4  ldap/[hidden email]
 1  des-cbc-crc  ldap/[hidden email]
 1  des-cbc-md5  host/[hidden email]
 1  des-cbc-md4  host/[hidden email]
 1  des-cbc-crc  host/[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: krb5_verify_user_opt failed

Buck Huppmann
On Wed, Sep 14, 2005 at 10:28:13PM -0400, German Shorthair wrote:

> Sep  1 18:19:43 ldap-1 saslauthd[8633]: do_auth         : auth
> failure: [user=jdoe] [service=imap] [realm=someschool.edu]
                        ^^^^^^^^^^^^
                        do you need a key for this in your keytab
                        (and in your realm database), maybe?

--buck

> [root@ldap-1 saslauthd]# /usr/heimdal/sbin/ktutil list
> FILE:/etc/krb5.keytab:
>
> Vno  Type                     Principal
>  1  des-cbc-md5              ldap/[hidden email]
>  1  des-cbc-md4              ldap/[hidden email]
>  1  des-cbc-crc              ldap/[hidden email]
>  1  aes256-cts-hmac-sha1-96  ldap/[hidden email]
>  1  des3-cbc-sha1            ldap/[hidden email]
>  1  arcfour-hmac-md5         ldap/[hidden email]
>  1  des-cbc-md5              host/[hidden email]
>  1  des-cbc-md4              host/[hidden email]
>  1  des-cbc-crc              host/[hidden email]
>  1  aes256-cts-hmac-sha1-96  host/[hidden email]
>  1  des3-cbc-sha1            host/[hidden email]
>  1  arcfour-hmac-md5         host/[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: krb5_verify_user_opt failed

German Shorthair
I added the imap service and even ran testsaslauthd with host and ldap
as the service.  Here's the result:

Sep 15 17:07:55 ldap-1 saslauthd[30446]: do_auth         : auth
failure: [user=jdoe] [service=host] [realm=someschool.edu]
[mech=kerberos5] [reason=krb5_verify_user_opt failed]
Sep 15 17:08:01 ldap-1 saslauthd[30448]: do_auth         : auth
failure: [user=jdoe] [service=imap] [realm=someschool.edu]
[mech=kerberos5] [reason=krb5_verify_user_opt failed]
Sep 15 17:08:04 ldap-1 saslauthd[30450]: do_auth         : auth
failure: [user=jdoe] [service=ldap] [realm=someschool.edu
[mech=kerberos5] [reason=krb5_verify_user_opt failed]


On 9/15/05, Buck Huppmann <[hidden email]> wrote:

> On Wed, Sep 14, 2005 at 10:28:13PM -0400, German Shorthair wrote:
>
> > Sep  1 18:19:43 ldap-1 saslauthd[8633]: do_auth         : auth
> > failure: [user=jdoe] [service=imap] [realm=someschool.edu]
>                         ^^^^^^^^^^^^
>                         do you need a key for this in your keytab
>                         (and in your realm database), maybe?
>
> --buck
>
> > [root@ldap-1 saslauthd]# /usr/heimdal/sbin/ktutil list
> > FILE:/etc/krb5.keytab:
> >
> > Vno  Type                     Principal
> >  1  des-cbc-md5              ldap/[hidden email]
> >  1  des-cbc-md4              ldap/[hidden email]
> >  1  des-cbc-crc              ldap/[hidden email]
> >  1  aes256-cts-hmac-sha1-96  ldap/[hidden email]
> >  1  des3-cbc-sha1            ldap/[hidden email]
> >  1  arcfour-hmac-md5         ldap/[hidden email]
> >  1  des-cbc-md5              host/[hidden email]
> >  1  des-cbc-md4              host/[hidden email]
> >  1  des-cbc-crc              host/[hidden email]
> >  1  aes256-cts-hmac-sha1-96  host/[hidden email]
> >  1  des3-cbc-sha1            host/[hidden email]
> >  1  arcfour-hmac-md5         host/[hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: krb5_verify_user_opt failed

German Shorthair
I removed my old keytab and srvtab.  Removed the kerberos databases in
/var/heimdal and rebuilt my realm, keytab, and srvtab.  Everything
works fine now.

On 9/15/05, German Shorthair <[hidden email]> wrote:

> I added the imap service and even ran testsaslauthd with host and ldap
> as the service.  Here's the result:
>
> Sep 15 17:07:55 ldap-1 saslauthd[30446]: do_auth         : auth
> failure: [user=jdoe] [service=host] [realm=someschool.edu]
> [mech=kerberos5] [reason=krb5_verify_user_opt failed]
> Sep 15 17:08:01 ldap-1 saslauthd[30448]: do_auth         : auth
> failure: [user=jdoe] [service=imap] [realm=someschool.edu]
> [mech=kerberos5] [reason=krb5_verify_user_opt failed]
> Sep 15 17:08:04 ldap-1 saslauthd[30450]: do_auth         : auth
> failure: [user=jdoe] [service=ldap] [realm=someschool.edu
> [mech=kerberos5] [reason=krb5_verify_user_opt failed]
>
>
> On 9/15/05, Buck Huppmann <[hidden email]> wrote:
> > On Wed, Sep 14, 2005 at 10:28:13PM -0400, German Shorthair wrote:
> >
> > > Sep  1 18:19:43 ldap-1 saslauthd[8633]: do_auth         : auth
> > > failure: [user=jdoe] [service=imap] [realm=someschool.edu]
> >                         ^^^^^^^^^^^^
> >                         do you need a key for this in your keytab
> >                         (and in your realm database), maybe?
> >
> > --buck
> >
> > > [root@ldap-1 saslauthd]# /usr/heimdal/sbin/ktutil list
> > > FILE:/etc/krb5.keytab:
> > >
> > > Vno  Type                     Principal
> > >  1  des-cbc-md5              ldap/[hidden email]
> > >  1  des-cbc-md4              ldap/[hidden email]
> > >  1  des-cbc-crc              ldap/[hidden email]
> > >  1  aes256-cts-hmac-sha1-96  ldap/[hidden email]
> > >  1  des3-cbc-sha1            ldap/[hidden email]
> > >  1  arcfour-hmac-md5         ldap/[hidden email]
> > >  1  des-cbc-md5              host/[hidden email]
> > >  1  des-cbc-md4              host/[hidden email]
> > >  1  des-cbc-crc              host/[hidden email]
> > >  1  aes256-cts-hmac-sha1-96  host/[hidden email]
> > >  1  des3-cbc-sha1            host/[hidden email]
> > >  1  arcfour-hmac-md5         host/[hidden email]
> >
>