Hi to all,
we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(. In the log of the provider we see that the consumer connects. ldaps is working. But
kerberos failed with the following messages:
--------------------
SASL [conn=5032] Failure: GSSAPI Error: Miscellaneous failure (see
text) (Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)
slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028 etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
--------------------
The same user we are using works without using the loadbalancer. If our solution is wrong, what would be the right way to use a loadbalancer
together with kerberos?
Stefan
________________________________________________
Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(.
Stefan Kania <stefan@kania-online.de> writes:We created one keytab for each host and each service. One ldap-key for
we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the
providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the
providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a
host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(.
Two things to check:
First, how did you put the service kep for ldap/ldap.example.net onto each host? If you used ktadd via kadmin, you alas did not do that. Each time
you downloaded the keytab entry, ktadd randomized the key again, so only
the last host on which you put the key has a correct key and all of the
rest have incorrect keys.
You have to either manually copy the keytab file between hosts without running ktadd again, or somehow use -norandkey to generate the keytabWe use debian 11 and the packages from Debian. Do you have some more information about the patch?
entry.
If that's not the problem, it used to be that you had to apply a one-line patch to Cyrus SASL to prevent it from forcing Kerberos to only use the keytab entry that it thought corresponded to the local hostname, which otherwise would prevent this trick from working. I thought Cyrus SASL upstream had finally taken that patch and included it in a release, but
maybe you're using an old version of Cyrus SASL? I don't remember what
error message that used to produce, though, so maybe this is a different problem.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 286 |
Nodes: | 16 (2 / 14) |
Uptime: | 89:28:28 |
Calls: | 6,496 |
Calls today: | 7 |
Files: | 12,100 |
Messages: | 5,277,448 |