[Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
David Kowis
dkowis+freeipa at shrlm.org
Sat Aug 20 01:38:42 UTC 2016
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, David Kowis wrote:
>> On 08/15/2016 09:27 PM, David Kowis wrote:
>>> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
>>>> David Kowis wrote:
>>>>> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>>>>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing.
>>>>>>
>>>>>> In any case, you can check server logs or use tcpdump/wireshark and
>>>>>> see if the
>>>>>> error somes from LDAP server or if it is client side error.
>>>>>>
>>>>>> That would tell us where to focus.
I think I know what's going on, but not why it's going on:
https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/1088822
This bug lead me to wonder where the directory server was finding it's
GSSAPI modules.
For some reason dirsrv is looking in /usr/lib/sasl2 for it's sasl
modules, when they're actually installed in /usr/lib/i386-linux-gnu/sasl2
A symlink:
ln -s /usr/lib/i386-linux-gnu/sasl2 /usr/lib/sasl2
and then suddenly:
ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: ANONYMOUS
Should I file a new bug with ubuntu? Did I find some weird i386 only bug
that should've been fixed?
Thanks,
David Kowis
PS: sorry if this is a repost, I sent it before, but it doesn't seem to
be showing up on the list...
>>>>>>
>>>>>
>>>>> Welp, I've got a pile of logs for you:
>>>>> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0
>>>>>
>>>>> The last few lines are probably the relevant ones.
>>>>>
>>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl
>>>>> version=3 mech=GSSAPI
>>>>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97
>>>>> nentries=0 etime=0
>>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND
>>>>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1
>>>>>
>>>>>
>>>>> Something tries to bind with no dn, and then fails.... I think?
>>>>
>>>> No this is typical logging for GSSAPI (minus the error).
>>>>
>>>> The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus
>>>> SASL GSSAPI package installed? In Fedora the package is
>>>> cyrus-sasl-gssapi.
>>>>
>>
>> Still trying to figure stuff out:
>>
>> root at freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h
>> localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms
>> dn:
>> SupportedSASLMechanisms: EXTERNAL
>>
>>
>> Should I have more than just EXTERNAL when this happens? How do I debug
>> more about what SASL authentication stuff should be there? I'm having a
>> great deal of difficulty finding documentation for the 389 directory
>> server's SASL configuration. *If* that's even the place I should be
>> looking. How can I narrow this down more?
> 389-ds does dynamically include all supported SASL mechanisms returned
> by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms
> were returned by your system SASL library. The attribute
> SupportedSASLMechanisms you see in the rootdse query above is read-only:
> it only shows which SASL mechanisms 389-ds knows about but you cannot
> influence them via this attribute. You need to look at your CyrusSASL
> library system configuration.
>
> What does 'pluginviewer' output show? Here is what Fedora 24 reports
> when following packages are installed:
> cyrus-sasl-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-md5-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-plain-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-gssapi-2.1.26-26.2.fc24.x86_64
> cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64
>
> # pluginviewer Installed and properly configured auxprop mechanisms are:
> sasldb
> List of auxprop plugins follows
> Plugin "sasldb" , API version: 8
> supports store: yes
>
> Installed and properly configured SASL (server side) mechanisms are:
> GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
> Available SASL (server side) mechanisms matching your criteria are:
> GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
> List of server plugins follows
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no
> security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
> features:
> WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
> security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
> Plugin "digestmd5" [loaded], API version: 4
> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
> features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
> Plugin "crammd5" [loaded], API version: 4
> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
> security flags: NO_ANONYMOUS|NO_PLAINTEXT
> features: SERVER_FIRST
> Plugin "login" [loaded], API version: 4
> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
> security flags: NO_ANONYMOUS|PASS_CREDENTIALS
> features:
> Plugin "plain" [loaded], API version: 4
> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
> security flags: NO_ANONYMOUS|PASS_CREDENTIALS
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "anonymous" [loaded], API version: 4
> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
> security flags: NO_PLAINTEXT
> features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
> Installed and properly configured SASL (client side) mechanisms are:
> GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
> Available SASL (client side) mechanisms matching your criteria are:
> GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
> List of client plugins follows
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSS-SPNEGO, best SSF: 56
> security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
> features:
> WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56
> security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
> Plugin "digestmd5" [loaded], API version: 4
> SASL mechanism: DIGEST-MD5, best SSF: 128
> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
> features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
> Plugin "EXTERNAL" [loaded], API version: 4
> SASL mechanism: EXTERNAL, best SSF: 0
> security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "crammd5" [loaded], API version: 4
> SASL mechanism: CRAM-MD5, best SSF: 0
> security flags: NO_ANONYMOUS|NO_PLAINTEXT
> features: SERVER_FIRST
> Plugin "login" [loaded], API version: 4
> SASL mechanism: LOGIN, best SSF: 0
> security flags: NO_ANONYMOUS|PASS_CREDENTIALS
> features: SERVER_FIRST
> Plugin "plain" [loaded], API version: 4
> SASL mechanism: PLAIN, best SSF: 0
> security flags: NO_ANONYMOUS|PASS_CREDENTIALS
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "anonymous" [loaded], API version: 4
> SASL mechanism: ANONYMOUS, best SSF: 0
> security flags: NO_PLAINTEXT
> features: WANT_CLIENT_FIRST
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160819/8d2e6427/attachment.sig>
More information about the Freeipa-users
mailing list