LDAP, SASL GSSAPI, and group membership, rebind fails
Hello list, I'm experiencing difficulties with freeradius-3.0.11 when using Ldap-Group and SASL GSSAPI mechanism. rlm_ldap can successfully query for user accounts,binding anonyously and SASL GSSAPI. But when it queries for group membership, rebind operation fails, erroring: Strong(er) authentication required Server said: SASL:[GSSAPI]: Sign or Seal are required.. A subset of ldapsearch -X output: > Thu Sep 29 11:49:54 2016 : Debug: (0) files: Searching for user in group "IPMI Admins"
Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Reserved connection (0) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL XLAT Thu Sep 29 11:49:54 2016 : Debug: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree: Thu Sep 29 11:49:54 2016 : Debug: literal --> (sAMAccountName= Thu Sep 29 11:49:54 2016 : Debug: if { Thu Sep 29 11:49:54 2016 : Debug: attribute --> Stripped-User-Name Thu Sep 29 11:49:54 2016 : Debug: } Thu Sep 29 11:49:54 2016 : Debug: else { Thu Sep 29 11:49:54 2016 : Debug: attribute --> User-Name Thu Sep 29 11:49:54 2016 : Debug: } Thu Sep 29 11:49:54 2016 : Debug: literal --> ) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) Thu Sep 29 11:49:54 2016 : Debug: (0) files: --> (sAMAccountName=johndoe) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL LITERAL Thu Sep 29 11:49:54 2016 : Debug: (0) files: Performing search in "DC=example,DC=org" with filter "(sAMAccountName=johndoe)", scope "sub" Thu Sep 29 11:49:54 2016 : Debug: (0) files: Waiting for search result... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://example.org/CN=Configuration,DC=example,DC=org Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt : Please enter your authorization name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result : RADIUS1$@EXAMPLE.ORG Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : `??? *?H??????? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : ???? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : SASL username: RADIUS1$@EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful Thu Sep 29 11:49:54 2016 : Debug: (0) files: User object found at DN "CN=johndoe,CN=Users,DC=example,DC=org" Thu Sep 29 11:49:54 2016 : Debug: (0) files: Checking for user in group objects Thu Sep 29 11:49:54 2016 : Debug: (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn})) Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree: Thu Sep 29 11:49:54 2016 : Debug: literal --> (&(cn=IPMI Admins)(objectClass=group)(member= Thu Sep 29 11:49:54 2016 : Debug: attribute --> LDAP-UserDN Thu Sep 29 11:49:54 2016 : Debug: literal --> )) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn})) Thu Sep 29 11:49:54 2016 : Debug: (0) files: --> (&(cn=IPMI Admins)(objectClass=group)(member=CN\3djohndoe\2cCN\3dUsers\2cDC\3dexample\2cDC\3dorg)) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL LITERAL Thu Sep 29 11:49:54 2016 : Debug: (0) files: Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL challenge : Authorization Name Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL prompt : Please enter your authorization name Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL result : RADIUS1$@EXAMPLE.ORG Thu Sep 29 11:49:54 2016 : Debug: (0) files: Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL response : `??? *?H??????? Thu Sep 29 11:49:54 2016 : Debug: (0) files: Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL response : ???? Thu Sep 29 11:49:54 2016 : ERROR: (0) files: Bind with (anonymous) to ldap://ad1.example.org:389 failed: Strong(er) authentication required Thu Sep 29 11:49:54 2016 : ERROR: (0) files: Server said: SASL:[GSSAPI]: Sign or Seal are required.. Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Deleting connection (0) Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap: Closing libldap handle 0xb46810 Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Need 6 more connections to reach 10 spares Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Connecting to ldap://smbdc0.example.org:389 Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): New libldap handle 0xb46810 Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt : Please enter your authorization name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result : RADIUS1$@EXAMPLE.ORG Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : `??? *?H??????? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : ???? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : SASL username: RADIUS1$@EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful Thu Sep 29 11:49:54 2016 : Debug: (0) files: User is not a member of "IPMI Admins"
On Sep 29, 2016, at 3:04 PM, Tom Carroll <Thomas.Carroll@pnnl.gov> wrote:
Hello list,
I'm experiencing difficulties with freeradius-3.0.11 when using Ldap-Group and SASL GSSAPI mechanism.
rlm_ldap can successfully query for user accounts,binding anonyously and SASL GSSAPI. But when it queries for group membership, rebind operation fails, erroring:
Strong(er) authentication required Server said: SASL:[GSSAPI]: Sign or Seal are required..
Fix your LDAP server so that FreeRADIUS is allowed to search it. Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS. Alan DeKok.
Alan - On 09/29/2016 12:39 PM, Alan DeKok wrote:
Fix your LDAP server so that FreeRADIUS is allowed to search it. Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS.
That doesn't explain it. Why does the server successfully bind and search for to find user DN, than fails to bind when searching for group DNs? See below. Re-including freeradius -X output:
Thu Sep 29 11:49:54 2016 : Debug: (0) files: Searching for user in group "IPMI Admins" Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Reserved connection (0) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL XLAT Thu Sep 29 11:49:54 2016 : Debug: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree: Thu Sep 29 11:49:54 2016 : Debug: literal --> (sAMAccountName= Thu Sep 29 11:49:54 2016 : Debug: if { Thu Sep 29 11:49:54 2016 : Debug: attribute --> Stripped-User-Name Thu Sep 29 11:49:54 2016 : Debug: } Thu Sep 29 11:49:54 2016 : Debug: else { Thu Sep 29 11:49:54 2016 : Debug: attribute --> User-Name Thu Sep 29 11:49:54 2016 : Debug: } Thu Sep 29 11:49:54 2016 : Debug: literal --> ) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) Thu Sep 29 11:49:54 2016 : Debug: (0) files: --> (sAMAccountName=johndoe) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL LITERAL Thu Sep 29 11:49:54 2016 : Debug: (0) files: Performing search in "DC=example,DC=lab" with filter "(sAMAccountName=johndoe)", scope "sub" Thu Sep 29 11:49:54 2016 : Debug: (0) files: Waiting for search result... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://example.lab/CN=Configuration,DC=cybernet,DC=lab Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt : Please enter your authorization name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result : RADIUS1$@EXAMPLE.ORG Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : `??? *?H??????? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : ???? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : SASL username: RADIUS1$@EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful Thu Sep 29 11:49:54 2016 : Debug: (0) files: User object found at DN "CN=johndoe,CN=Users,DC=example,DC=lab" Thu Sep 29 11:49:54 2016 : Debug: (0) files: Checking for user in group objects Thu Sep 29 11:49:54 2016 : Debug: (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn})) Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree: Thu Sep 29 11:49:54 2016 : Debug: literal --> (&(cn=IPMI Admins)(objectClass=group)(member= Thu Sep 29 11:49:54 2016 : Debug: attribute --> LDAP-UserDN Thu Sep 29 11:49:54 2016 : Debug: literal --> )) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn})) Thu Sep 29 11:49:54 2016 : Debug: (0) files: --> (&(cn=IPMI Admins)(objectClass=group)(member=CN\3djohndoe\2cCN\3dUsers\2cDC\3dexample\2cDC\3dlab)) Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL LITERAL Thu Sep 29 11:49:54 2016 : Debug: (0) files: Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL challenge : Authorization Name Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL prompt : Please enter your authorization name Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL result : RADIUS1$@EXAMPLE.ORG Thu Sep 29 11:49:54 2016 : Debug: (0) files: Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL response : `??? *?H??????? Thu Sep 29 11:49:54 2016 : Debug: (0) files: Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: (0) files: SASL response : ???? Thu Sep 29 11:49:54 2016 : ERROR: (0) files: Bind with (anonymous) to ldap://ad1.example.lab:389 failed: Strong(er) authentication required Thu Sep 29 11:49:54 2016 : ERROR: (0) files: Server said: SASL:[GSSAPI]: Sign or Seal are required.. Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Deleting connection (0) Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap: Closing libldap handle 0xb46810 Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Need 6 more connections to reach 10 spares Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Connecting to ldap://ad1.example.lab:389 Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): New libldap handle 0xb46810 Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI SASL/GSSAPI authentication started Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt : Please enter your authorization name Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result : RADIUS1$@EXAMPLE.ORG Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : `??? *?H??????? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : ???? Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)... Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response : SASL username: RADIUS1$@EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful Thu Sep 29 11:49:54 2016 : Debug: (0) files: User is not a member of "IPMI Admins"
On Sep 29, 2016, at 3:50 PM, Tom Carroll <Thomas.Carroll@pnnl.gov> wrote:
Alan -
On 09/29/2016 12:39 PM, Alan DeKok wrote: Fix your LDAP server so that FreeRADIUS is allowed to search it. Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS.
That doesn't explain it. Why does the server successfully bind and search for to find user DN, than fails to bind when searching for group DNs? See below.
Ask your LDAP server. FreeRADIUS doesn't produce this message. Your LDAP server produces it. So... If you want to fix the problem, fix your LDAP server
Re-including freeradius -X output:
Please don't waste my time. I read that in the first message. There is no need to include it again. As a hint for future questions, if you're asking questions here, it means you don't have the answer. So it's rude to question the people who do know the answer, and are kind enough to help you. Alan DeKok.
On 09/29/2016 01:13 PM, Alan DeKok wrote:
On 09/29/2016 12:39 PM, Alan DeKok wrote: Fix your LDAP server so that FreeRADIUS is allowed to search it. Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS.
That doesn't explain it. Why does the server successfully bind and search for to find user DN, than fails to bind when searching for group DNs? See below.
Ask your LDAP server. FreeRADIUS doesn't produce this message. Your LDAP server produces it.
So... If you want to fix the problem, fix your LDAP server
Okay, progress made. I've demonstrated the problem is the interaction between rlm_ldap, SASL GSSAPI, and Samba 4.3.x, 4.4.x, and 4.5.0 ldap_server. If ldap_server negotiates encryption via SASL, it will not allow subsequent SASL binds. After patching ldap_server, adjusting for logic flow, the server returns LDAP_UNWILLING_TO_PERFORM and reports SASL:[GSSAPI]: Sign or Seal are not allowed if SASL encryption has already been set up
Re-including freeradius -X output:
Please don't waste my time. I read that in the first message. There is no need to include it again.
As a hint for future questions, if you're asking questions here, it means you don't have the answer. So it's rude to question the people who do know the answer, and are kind enough to help you.
Alan, I didn't mean to offend your constitution. The supplied answer didn't agree with the runtime log artifacts and I was fishing for a different answer or to anchor a thoughtful discussion. I appreciated your help as it allowed me to quickly exclude possibilities and to demonstrate the real problem. ~ Tom
On Oct 3, 2016, at 2:01 PM, Tom Carroll <Thomas.Carroll@pnnl.gov> wrote:
Re-including freeradius -X output:
Please don't waste my time. I read that in the first message. There is no need to include it again.
As a hint for future questions, if you're asking questions here, it means you don't have the answer. So it's rude to question the people who do know the answer, and are kind enough to help you.
Alan, I didn't mean to offend your constitution. The supplied answer didn't agree with the runtime log artifacts and I was fishing for a different answer or to anchor a thoughtful discussion. I appreciated your help as it allowed me to quickly exclude possibilities and to demonstrate the real problem.
I help because I do want to make a difference. My frustration stems from the following kind of conversation: Q: Hi, I have a problem .... how do I fix it? A: Go here and do this... followed by that... Q: No, you're wrong! I won't do that. It's frustrating. And it deserves a blunt response of "stop playing games. Follow instructions, or else". I know most people don't *think* they're being troublesome with such a response. But... it's a problem. Alan DeKok.
On 29 Sep 2016, at 23:13, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 29, 2016, at 3:50 PM, Tom Carroll <Thomas.Carroll@pnnl.gov> wrote:
Alan -
On 09/29/2016 12:39 PM, Alan DeKok wrote: Fix your LDAP server so that FreeRADIUS is allowed to search it. Typically this is done by making a read-only admin account in LDAP, and using that with FreeRADIUS.
That doesn't explain it. Why does the server successfully bind and search for to find user DN, than fails to bind when searching for group DNs? See below.
Ask your LDAP server. FreeRADIUS doesn't produce this message. Your LDAP server produces it.
Or all the SASL/GSSAPI junk in between. Looks like the real complaint is that it's binding anonymously during a group check.
Thu Sep 29 11:49:54 2016 : ERROR: (0) files: Bind with (anonymous) to ldap://ad1.example.org:389failed: Strong(er) authentication required Thu Sep 29 11:49:54 2016 : ERROR: (0) files: Server said: SASL:[GSSAPI]: Sign or Seal are required..
That's probably the text representation of a libldap error, and it's complaining because it thinks an anonymous bind was attempted, even though during the SASL conversation an identity was provided... Can the OP open an issue on GitHub, with their LDAP config, and we'll try and figure out where the issue lies. If it's possible to do a packet capture without StartTLS or SSL that'd also be useful to include. Guessing the LDAP server in this case is AD, so even if it is a user configuration issue, it'd be good to figure out precisely what the issue is so we can include it in the documentation. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Tom Carroll