On Fri, Jun 25, 2010 at 03:20:24PM +0400, Alexander Gordeev wrote:
> On Fri, 25 Jun 2010 13:10:52 +0200
> Sumit Bose <sb...@redhat.com> wrote:
>
> > On Fri, Jun 25, 2010 at 02:35:19PM +0400, Alexander Gordeev wrote:
> > > On Fri, 25 Jun 2010 11:25:22 +0200
> > > Sumit Bose <sb...@redhat.com> wrote:
> > >
> > > > On Fri, Jun 25, 2010 at 12:55:02PM +0400, Alexander Gordeev wrote:
> > > > >
> > > > > Sorry, I didn't tell you that this log was from another machine, with
> > > > > it's own key, and therefore I changed ldap_sasl_authid appropriately.
> > > > > On desktopvm everything is the same i.e. auth fails in the same way.
> > > > >
> > > > > Seems I'll have to dive into debugging SASL... But maybe you have some
> > > > > hints for me? :)
> > > > >
> > > > >
> > > > > --
> > > > > Alexander
> > > >
> > > > If
> > > >
> > > > kinit -k -t /etc/krb5.keytab && ldapsearch
> > > >
> > > > works on desktopvm you can try with the credentail cache of sssd
> > > > /var/lib/sss/db/ccache_GNET (please check if the TGT is still valid
> > > > before you use it):
> > > >
> > > > KRB5CCNAME=/var/lib/sss/db/ccache_GNET ldapsearch
> > > >
> > > > should work
> > >
> > > Thanks!
> > > It works.
> >
> > ok, you mean
> >
> > KRB5CCNAME=/var/lib/sss/db/ccache_GNET ldapsearch
> >
> > works, but sssd doesn't, right ?
>
> Yes, exactly. :)
> Sorry for ambiguous statements.
>
> > Please make sure to remove any other ccache file before calling
> > ldapsearch with sssd's ccache file. I'm not sure how clever the
> > underlying libraries try to be to find a valid TGT. Calling kdestroy
> > before the ldapsearch should be sufficient.
>
> All the caches were cleaned before the test. But from my experience the
> underlying libraries don't try to fallback to other caches.
>
> > > > If this work, then I think sssd does something wrong. If it does not
> > > > work, please compare the content of the ccache you get with 'kinit -k -t
> > > > /etc/krb5.keytab' with /var/lib/sss/db/ccache_GNET.
can you check if the attached patch will fix your problem?
bye,
Sumit
>
>
> --
> Alexander
From 9de4f6fddc0d1484ca554b3a3f9dab831106ff4e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Fri, 25 Jun 2010 17:50:56 +0200
Subject: [PATCH] Fix SASL authentication
---
src/providers/ldap/sdap_async_connection.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async_connection.c
b/src/providers/ldap/sdap_async_connection.c
index 14a1a4b..a0224a1 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -571,7 +571,7 @@ static int sdap_sasl_interact(LDAP *ld, unsigned flags,
switch (in->id) {
case SASL_CB_GETREALM:
- case SASL_CB_AUTHNAME:
+ case SASL_CB_USER:
case SASL_CB_PASS:
if (in->defresult) {
in->result = in->defresult;
@@ -580,7 +580,7 @@ static int sdap_sasl_interact(LDAP *ld, unsigned flags,
}
in->len = strlen(in->result);
break;
- case SASL_CB_USER:
+ case SASL_CB_AUTHNAME:
if (state->sasl_user) {
in->result = state->sasl_user;
} else if (in->defresult) {
--
1.7.0.1
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
