Hello,
I have a proprietary windows application trying to bind on my OpenLDAP server using GSSAPI with NTLMSSP mechanism, instead of Kerberos. Is it possible to support this on a (unix) OpenLDAP server?
Another option would be to make the software use GSSAPI + Kerberos instead. Let me further explain:
I have a working samba + openldap setup with many windows workstations. The said proprietary app has LDAP auth support, and according to its maker it works with Active Directory and Novell NDS. It does not support simple bind, nor LDAPS, (and probably not StartTLS either). We don't have access to the app's source code and help from its developers/tech-support is pretty unavailable.
Checking slapd's debug, we saw the app trying to use SASL+GSSAPI to bind. So we went on and configured a minimal Kerberos setup and SASL+GSSAPI support for OpenLDAP on a test ldap server. It seems to be working perfectly. We acquire a ticket and run ldapsearch from another machine using -Y GSSAPI bind and it works. Logs from slapd debug seem ok.
But that evil app still fails. Here's a piece from slapd debug log:
conn=1000 op=1 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8813 end=0x7f73f6af8856 len=67 0000: 60 84 00 00 00 3d 02 01 03 04 00 a3 84 00 00 00 `....=.......... 0010: 32 04 06 47 53 53 41 50 49 04 28 4e 54 4c 4d 53 2..GSSAPI.(NTLMS 0020: 53 50 00 01 00 00 00 97 82 08 e2 00 00 00 00 00 SP.............. 0030: 00 00 00 00 00 00 00 00 00 00 00 06 01 b1 1d 00 ................ 0040: 00 00 0f ... ber_scanf fmt ({m) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af881e end=0x7f73f6af8856 len=56 0000: 00 84 00 00 00 32 04 06 47 53 53 41 50 49 04 28 .....2..GSSAPI.( 0010: 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e2 NTLMSSP......... 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030: 06 01 b1 1d 00 00 00 0f ........ ber_scanf fmt (m) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af882c end=0x7f73f6af8856 len=42 0000: 00 28 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 .(NTLMSSP....... 0010: 08 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020: 00 00 06 01 b1 1d 00 00 00 0f .......... ber_scanf fmt (}}) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8856 end=0x7f73f6af8856 len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=GSSAPI datalen=40 SASL [conn=1000] Failure: GSSAPI Error: An unsupported mechanism was requested (Unknown error) send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context" send_ldap_response: msgid=11 tag=97 err=49 ber_flush2: 87 bytes to sd 13 0000: 30 55 02 01 0b 61 50 0a 01 31 04 00 04 49 53 41 0U...aP..1...ISA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 47 53 53 41 50 49 20 46 61 69 6c 75 72 65 3a GSSAPI Failure: 0040: 20 67 73 73 5f 61 63 63 65 70 74 5f 73 65 63 5f gss_accept_sec_ 0050: 63 6f 6e 74 65 78 74 context ldap_write: want=87, written=87 0000: 30 55 02 01 0b 61 50 0a 01 31 04 00 04 49 53 41 0U...aP..1...ISA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 47 53 53 41 50 49 20 46 61 69 6c 75 72 65 3a GSSAPI Failure: 0040: 20 67 73 73 5f 61 63 63 65 70 74 5f 73 65 63 5f gss_accept_sec_ 0050: 63 6f 6e 74 65 78 74 context conn=1000 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
(btw, this is slapd 2.4.21, from a 10.04 ubuntu package)
I believe the application uses Windows SSPI, and I known SSPI supports several GSSAPI mechanisms, including NTLMSSP and Kerberos. I'm afraid Windows is auto selecting NTLMSSP cause its running on a pre-windows 2000 domain (non AD, in this case, Samba). Hoping to make windows use Kerberos instead, I've also tried publishing some SRV records on DNS. I have sniffed DNS queries from the workstation while the app tries to login, caught only one _ldap._tcp SRV request, registered that ... and nothing has changed.
I don't know how could I force the app to use GSSAPI + kerberos without touching its source code. And I can't find much about a unix NTLM(SSP)-as-a-mechanism-of-GSSAPI implementation. Maybe there's something inside samba4 or in Likewise software, but I haven't found it yet.
So ... does somebody have any advice or info?
Thanks in advance,
Diego Morales +55 (51) 3024-3568 Propus Informática LTDA. http://www.propus.com.br
Diego Morales wrote:
Hello,
I have a proprietary windows application trying to bind on my OpenLDAP server using GSSAPI with NTLMSSP mechanism, instead of Kerberos. Is it possible to support this on a (unix) OpenLDAP server?
Yes, but this has nothing to do with OpenLDAP software. All of SASL/GSSAPI is handled by the Cyrus SASL library. The Cyrus GSSAPI implementation depends on the underlying GSSAPI library, which may be provided by MIT Kerberos or Heimdal Kerberos. The Heimdal library definitely supports GSSAPI/NTLMSSP, I'm not sure if the MIT library does or not.
It sounds like your installation is not using Heimdal.
Another option would be to make the software use GSSAPI + Kerberos instead. Let me further explain:
I have a working samba + openldap setup with many windows workstations. The said proprietary app has LDAP auth support, and according to its maker it works with Active Directory and Novell NDS. It does not support simple bind, nor LDAPS, (and probably not StartTLS either). We don't have access to the app's source code and help from its developers/tech-support is pretty unavailable.
Checking slapd's debug, we saw the app trying to use SASL+GSSAPI to bind. So we went on and configured a minimal Kerberos setup and SASL+GSSAPI support for OpenLDAP on a test ldap server. It seems to be working perfectly. We acquire a ticket and run ldapsearch from another machine using -Y GSSAPI bind and it works. Logs from slapd debug seem ok.
But that evil app still fails. Here's a piece from slapd debug log:
conn=1000 op=1 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8813 end=0x7f73f6af8856 len=67 0000: 60 84 00 00 00 3d 02 01 03 04 00 a3 84 00 00 00 `....=.......... 0010: 32 04 06 47 53 53 41 50 49 04 28 4e 54 4c 4d 53 2..GSSAPI.(NTLMS 0020: 53 50 00 01 00 00 00 97 82 08 e2 00 00 00 00 00 SP.............. 0030: 00 00 00 00 00 00 00 00 00 00 00 06 01 b1 1d 00 ................ 0040: 00 00 0f ... ber_scanf fmt ({m) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af881e end=0x7f73f6af8856 len=56 0000: 00 84 00 00 00 32 04 06 47 53 53 41 50 49 04 28 .....2..GSSAPI.( 0010: 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e2 NTLMSSP......... 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030: 06 01 b1 1d 00 00 00 0f ........ ber_scanf fmt (m) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af882c end=0x7f73f6af8856 len=42 0000: 00 28 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 .(NTLMSSP....... 0010: 08 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020: 00 00 06 01 b1 1d 00 00 00 0f .......... ber_scanf fmt (}}) ber: ber_dump: buf=0x7f73f6af8810 ptr=0x7f73f6af8856 end=0x7f73f6af8856 len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=GSSAPI datalen=40 SASL [conn=1000] Failure: GSSAPI Error: An unsupported mechanism was requested (Unknown error) send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context" send_ldap_response: msgid=11 tag=97 err=49 ber_flush2: 87 bytes to sd 13 0000: 30 55 02 01 0b 61 50 0a 01 31 04 00 04 49 53 41 0U...aP..1...ISA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 47 53 53 41 50 49 20 46 61 69 6c 75 72 65 3a GSSAPI Failure: 0040: 20 67 73 73 5f 61 63 63 65 70 74 5f 73 65 63 5f gss_accept_sec_ 0050: 63 6f 6e 74 65 78 74 context ldap_write: want=87, written=87 0000: 30 55 02 01 0b 61 50 0a 01 31 04 00 04 49 53 41 0U...aP..1...ISA 0010: 53 4c 28 2d 31 33 29 3a 20 61 75 74 68 65 6e 74 SL(-13): authent 0020: 69 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a ication failure: 0030: 20 47 53 53 41 50 49 20 46 61 69 6c 75 72 65 3a GSSAPI Failure: 0040: 20 67 73 73 5f 61 63 63 65 70 74 5f 73 65 63 5f gss_accept_sec_ 0050: 63 6f 6e 74 65 78 74 context conn=1000 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
(btw, this is slapd 2.4.21, from a 10.04 ubuntu package)
I believe the application uses Windows SSPI, and I known SSPI supports several GSSAPI mechanisms, including NTLMSSP and Kerberos. I'm afraid Windows is auto selecting NTLMSSP cause its running on a pre-windows 2000 domain (non AD, in this case, Samba). Hoping to make windows use Kerberos instead, I've also tried publishing some SRV records on DNS. I have sniffed DNS queries from the workstation while the app tries to login, caught only one _ldap._tcp SRV request, registered that ... and nothing has changed.
I don't know how could I force the app to use GSSAPI + kerberos without touching its source code. And I can't find much about a unix NTLM(SSP)-as-a-mechanism-of-GSSAPI implementation. Maybe there's something inside samba4 or in Likewise software, but I haven't found it yet.
So ... does somebody have any advice or info?
Thanks in advance,
Diego Morales +55 (51) 3024-3568 Propus Informática LTDA. http://www.propus.com.br
openldap-technical@openldap.org
-
Diego Morales -
Howard Chu