[Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
David Kowis
dkowis+freeipa at shlrm.org
Wed Aug 17 13:36:52 UTC 2016
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, David Kowis wrote:
>> On 08/15/2016 09:27 PM, David Kowis wrote:
>>> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
>>>> David Kowis wrote:
>>>>> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>>>>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing.
>>>>>>
>>>>>> In any case, you can check server logs or use tcpdump/wireshark and
>>>>>> see if the
>>>>>> error somes from LDAP server or if it is client side error.
>>>>>>
>>>>>> That would tell us where to focus.
>>>>>>
>>>>>
>>>>> Welp, I've got a pile of logs for you:
>>>>> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0
>>>>>
>>>>> The last few lines are probably the relevant ones.
>>>>>
>>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl
>>>>> version=3 mech=GSSAPI
>>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97
>>>>> nentries=0 etime=0
>>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND
>>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1
>>>>>
>>>>>
>>>>> Something tries to bind with no dn, and then fails.... I think?
>>>>
>>>> No this is typical logging for GSSAPI (minus the error).
>>>>
>>>> The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus
>>>> SASL GSSAPI package installed? In Fedora the package is
>>>> cyrus-sasl-gssapi.
>>>>
>>
>> Still trying to figure stuff out:
>>
>> root at freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h
>> localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms
>> dn:
>> SupportedSASLMechanisms: EXTERNAL
>>
>>
>> Should I have more than just EXTERNAL when this happens? How do I debug
>> more about what SASL authentication stuff should be there? I'm having a
>> great deal of difficulty finding documentation for the 389 directory
>> server's SASL configuration. *If* that's even the place I should be
>> looking. How can I narrow this down more?
> 389-ds does dynamically include all supported SASL mechanisms returned
> by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms
> were returned by your system SASL library. The attribute
> SupportedSASLMechanisms you see in the rootdse query above is read-only:
> it only shows which SASL mechanisms 389-ds knows about but you cannot
> influence them via this attribute. You need to look at your CyrusSASL
> library system configuration.
>
> What does 'pluginviewer' output show?
<snip>
root at freeipavm:/var/log# dpkg -l | grep sasl
ii libsasl2-2:i386 2.1.26.dfsg1-14build1
i386 Cyrus SASL - authentication abstraction library
ii libsasl2-modules:i386 2.1.26.dfsg1-14build1
i386 Cyrus SASL - pluggable authentication modules
ii libsasl2-modules-db:i386 2.1.26.dfsg1-14build1
i386 Cyrus SASL - pluggable authentication modules (DB)
ii libsasl2-modules-gssapi-mit:i386 2.1.26.dfsg1-14build1
i386 Cyrus SASL - pluggable authentication modules (GSSAPI)
ii libsasl2-modules-ldap:i386 2.1.26.dfsg1-14build1
i386 Cyrus SASL - pluggable authentication modules (LDAP)
ii sasl2-bin 2.1.26.dfsg1-14build1
i386 Cyrus SASL - administration programs for SASL users
database
# saslpluginviewer
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" , API version: 8
supports store: yes
Installed and properly configured SASL (server side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL
CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5
NTLM PLAIN LOGIN ANONYMOUS
List of server plugins follows
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0, supports setpass: no
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0, supports setpass: no
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features:
WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features:
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Installed and properly configured SASL (client side) mechanisms are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL
CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL
CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS
List of client plugins follows
Plugin "scram" [loaded], API version: 4
SASL mechanism: SCRAM-SHA-1, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-IAKERB, best SSF: 0
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features:
WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "gs2" [loaded], API version: 4
SASL mechanism: GS2-KRB5, best SSF: 0
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features:
WANT_CLIENT_FIRST|NEED_SERVER_FQDN|GSS_FRAMING|CHANNEL_BINDING
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSS-SPNEGO, best SSF: 56
security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
features:
WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "digestmd5" [loaded], API version: 4
SASL mechanism: DIGEST-MD5, best SSF: 128
security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded], API version: 4
SASL mechanism: EXTERNAL, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "crammd5" [loaded], API version: 4
SASL mechanism: CRAM-MD5, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: SERVER_FIRST
Plugin "ntlm" [loaded], API version: 4
SASL mechanism: NTLM, best SSF: 0
security flags: NO_ANONYMOUS|NO_PLAINTEXT
features: WANT_CLIENT_FIRST|SUPPORTS_HTTP
Plugin "plain" [loaded], API version: 4
SASL mechanism: PLAIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded], API version: 4
SASL mechanism: LOGIN, best SSF: 0
security flags: NO_ANONYMOUS|PASS_CREDENTIALS
features: SERVER_FIRST
Plugin "anonymous" [loaded], API version: 4
SASL mechanism: ANONYMOUS, best SSF: 0
security flags: NO_PLAINTEXT
features: WANT_CLIENT_FIRST
I believe this is at least everything that's in your list, and maybe a
couple more. Any guesses as to what is preventing it from ending up in
the 389 Directory Server?
--
David Kowis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160817/725fe3ec/attachment.sig>
More information about the Freeipa-users
mailing list