Samba4 supported SASL mechanism

UCS - Univention Corporate Server
#1

Hi,

First, thanks a lot for this great product! Very helpful!

My currently installed release version is 5.0-1 errata302 (installed on a KVM). Well, I’m trying to connect from a Linux machine to the UCS using a tool called msktutil (version 2.1 found on github) and I’m getting the following error:

Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)
	additional info: SASL(-4): no mechanism available: No worthy mechs found
Error: ldap_connect failed

On purpose, I didn’t include in this post, all options I used with msktutil (and kinit, krb5.conf) because those tools are too specific but if needed, I can share them. Instead, I share with you the output of the more classical command “ldapsearch” that produces a similar error when used with or without the ‘-Y’ option. Without the -Y the command works properly as follows (I get a response with the right content):

ldapsearch -v -LLL -D 'cn=administrator,cn=users,dc=example,dc=com' -w $(cat /usr/etc/openldap/ldap.passwd) -b 'cn=computers,dc=example,dc=com' cn=proxy

when explicitly specifying the SASL mechanism using the option -Y, the ldapsearch command returns errors as follows:

ldapsearch -v -LLL -D 'cn=administrator,cn=users,dc=example,dc=com' -w $(cat /usr/etc/openldap/ldap.passwd) -b 'cn=computers,dc=example,dc=com' -Y GSSAPI cn=proxy
ldap_initialize( <DEFAULT> )
ldap_sasl_interactive_bind: Unknown authentication method (-6)
	additional info: SASL(-4): no mechanism available: No worthy mechs found

As you can see, I’m using the SASL mechanism GSSAPI (with the -Y option).

My first question is: what SASL mechs are supported by UCS (samba4)?
My second question: maybe I’m completely on a wrong way. Any suggestions about what should I do to make it work?

FYI there is an option with the msktutil that allows you to specify the SASL mechanisms so that’s why I’m looking for supported SASL mechanisms by UCS. Without any options, msktutil tries the following SASL mechanisms: GSS-SPNEGO and GSSAPI. But non of them works.

Thank is advance and Best Regards,
UTM

#2

Addition information: the content of my /usr/etc/openldap/ldap.conf as follows:

DEREF never
REFERRALS on
VERSION 2
SASL_NOCANON off
SASL_CBINDING none
SASL_REALM EXAMPLE.COM
SASL_MECH GSS-SPNEGO
GSSAPI_SIGN off
GSSAPI_ENCRYPT off
GSSAPI_ALLOW_REMOTE_PRINCIPAL off
URI ldaps://dc.example.com:636
BASE dc=example,dc=com
BINDDN cn=administrator,cn=users,dc=example,dc=com
TLS_REQCERT demand
TLS_REQSAN demand
TLS_CRLCHECK none
TLS_CACERT /usr/etc/openldap/ldap-ca
# ldap-ca file found on the UCS server

BR

#3

Hi to me (because nobody has replied yet) :slight_smile:

Well I found the error myself and I hope that the solution described below would be helpful to people having similar issues:

First the root cause was that my kinit program wasn’t properly built. Actually the
kinit program should be linked with gss libraries. I recompiled the following open source program by taking care of including gssapi in them:

  • gss-1.0.3: use the configuration option --enable-gssapi=/usr/include/gssapi
  • cyrus-sasl-2.1.28: the build process can now properly detect the availability of GSSAPI
  • krb5-1.19.2: kinit is then linked with right gss libraries.

Secondly with SASL GSSAPI, sign or seal are not allowed if TLS is used. Then the URI to use should be ldap://dc.example.com and not ldaps://dc.example.com:636 so you need to modify your ldap.conf or use the option -H ldap://dc.example.com wit the command ldapsearch.

Therfore the following command works like a charm:

ldapsearch -v -LLL -D 'cn=administrator,cn=users,dc=example,dc=com' -w $(cat /usr/etc/openldap/ldap.passwd) -b 'cn=computers,dc=example,dc=com' -H ldap://dc.example.com -Y GSSAPI cn=proxy

And consequently msktutil also works now!

Cheers

Mastodon