[lsc-users] GSSAPI auth

Francesco Malvezzi francesco.malvezzi at unimore.it
Tue Dec 10 14:43:17 CET 2013


Hi all,

I tested GSSAPI auth with a samba-4.1.2 active directory server.

There are a few file to edit:
1) create a ./etc/gsseg_jaas.conf with the following:

/**
 * Login Configuration for JAAS.
 *
 */
org.lsc.jndi.JndiServices {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};

2) soft-link your krb5.conf to ./etc/krb5.ini (ln -s /etc/krb5.conf
./etc/krb5.ini)

3) edit ./bin/lsc:
insert the line:
JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"
before the line in which lsc is launched, for instance:

[...]
JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"

build_classpath
build_parameters
"${JAVA_COMMAND}" $JAVA_OPTS -cp "$CLASSPATH" org.lsc.Launcher $PARAMETERS
[...]

4) modify lsc.xml <ldapConnection>:

<ldapConnection>
      <name>adsamba4-conn</name>
      <url>ldaps://pdc.example.org:636/dc=ad,dc=example,dc=org</url>
      <username>adminlsc at EXAMPLE.ORG</username>
      <password>not_really</password>
      <authentication>GSSAPI</authentication>
      <referral>IGNORE</referral>
      <derefAliases>NEVER</derefAliases>
      <version>VERSION_3</version>
      <pageSize>1000</pageSize>
      <factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
      <tlsActivated>false</tlsActivated>
    </ldapConnection>
please note the username is in kerberos style. It is not a dn. Please
remember to type realm UPPERCASE.

5) either kinit adminlsc at EXAMPLE.ORG or load principal from keytab

6) run command as usual.

Strangely lsc works with GSSAPI/LDAPS, while ldapsearch does not. If I run

ldapsearch -Y GSSAPI -H ldaps://pdc.example.org:636 -b
dc=ad,dc=example,dc=org 'cn=jsmith'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
	additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used

But I don't face this issue with lsc. Good.

ciao,

Francesco


More information about the lsc-users mailing list