CentOS 5 Server :: SASL Bind Failures - Invalid Credentials
Dec 14, 2009
I am setting up a cluster of servers which use Centos Directory Server for control of logins, etc and kerberos for authentication. The basic setup is working fine, I have been able to manually create accounts using the directory console and these accounts seem to work. Now what I want to do is automate the process of creating new accounts. I am writing a perl script which can be run by one of the server administrators, they supply a small number of arguments and it should create a new user in the directory server, and also create a principal in the kerberos.
I want them to be able to do this using their logged-in kerberos credentials, i.e., without having to enter and re-enter their passwords. My first attempt was to use perl modules Net::LDAP and Authen::SASL. I could not get this working so fell back to using ldap command line tools, but even these I cannot seem to get working! When using mozldap tools, as specified in the admin manual, I get the following:
Using openldap tools I strike exactly the same problem:
$ ldapmodify -Y GSSAPI -H LDAP://ldaphost.mycompany.com -D uid=eharmic,ou=mydept,dc=mycompany -U eharmic < ../ldapmod.txt
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-14): authorization failure:
I believe I have set up the mapping correctly:
dn: cn=MyMapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: MyMapping
nsSaslMapRegexString: ^(.+)@MYCOMPANY.COM
nsSaslMapBaseDNTemplate: ou=mydept,dc=mycompany
nsSaslMapFilterTemplate: (uid=1)
It must be getting reasonably far because after doing the above I can see the LDAP service ticket in my "klist" output.
I just tried to build my own samba/ldap server on opensuse 11.3 and i am continuously getting an invalid credentials error when doing the smbpasswd -a command. Below are my smb and ldap files.
smb.conf # Primary Domain Controller smb.conf # Global parameters [global] unix charset = utf8 workgroup = MERCDOMAIN netbios name = mercserver passdb backend =ldapsam:"ldap://mercserver.mercdomain.com" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 #name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = logon.bat logon path = \mercserverprofiles\%u logon drive = H: domain logons = Yes domain master = Yes wins support = Yes # peformance optimization all users stored in ldap ldapsam:trusted = yes ldap suffix = dc=mercdomain,dc=com ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mercserver,dc=com ldap ssl = off idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = root printing = cups
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema modulepath /usr/lib/openldap/modules/ # moduleload back_bdb.la
#access to attrs=userPassword,sambaLMPassword,sambaNTPassword # by self write # by dn="cn=Manager,dc=mercdomain,dc=com" write # by * auth #access to * # by dn="cn=Manager,dc=mercdomain,dc=com" write # by * read
# Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
I get the error: ldap_bind: Invalid credentials (49)
I feel like this is a pretty basic/default setup, I haven't changed anything else in /etc/openldap/slapd.conf but for some reason it's not authenticating using the rootpw and rootdn information that I've provided in the config file.
I have just installed openldap on my Red Hat server and it is running:
[code]...
However when I try to add my first ldif file base.ldif, no matter how many time I enter in the correct password I get invalid credentials [root@server init.d]# ldapadd -D "cn=Manager,dc=mathcs.duq,dc=edu" -W -f /home/oberlanderm/base.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) I have to be forgetting someting simple,
I followed the Wiki guide for configuring my Postfix server for SASL / TLS. I don't get any errors and I assume it's working but when I try and test SASL (saslauthd), I don't get the response noted according to the Wiki and I don't understand why.
I'm trying to expand my Courier+MySQL+Postfix+PostfixAdmin server to use SASL logins on Postfix so I can relay on my server. After following several guides I still can't get it to work: Postfix logs show the user transcript and end with "Authentication failure" but it does not tell me what told it that the login failed. The messages log show this:
Feb 19 22:48:55 sportlaan-server saslauthd[7254]: do_auth : auth failure: [user=berend] [service=smtp] [realm=mydomain.com] [mech=pam] [reason=PAM auth error] Which I don't get because I don't think it should be using PAM... I think...
The setup is similar to this one: http://www.howtoforge.org/virtual_users_postfix_courier_mailscanner_clamav_centos_p6 My SASL config has this in it: /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd log_level: 3 authdaemond_path: /var/spool/authdaemon/socket mech_list: plain login
We have CentOS 5.3 and are using sendmail for outbound emails. We are trying to switch over to authsmtp service. Authsmtp requires sendmail built with SASL suport.
How do I find out if my sendmail has been built with SASL support? If it is not, is it easy to build it with SASL support?
I'm trying to set up an OpenLDAP server on a clean install of 10.04 server (AMD64). Following the server guide [URL] I get down to the "Setting up ACL" step: $ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W oldDatabase=hdb oldAccess This command fails with "ldap_bind: Invalid credentials (49)"
When I replace the dn with what it seems like it should be: $ ldapsearch -xLLL -b cn=config -D cn=admin,dc=example,dc=com -W oldDatabase=hdb oldAccess I get "No such object (32)" I have a feeling this is because 10.04 no longer asks you for the admin username and password during the initial debconf (nor does dpkg-reconfigure).
I can continue through the guide using this form of the commands (which were used earlier in the Guide): $ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=hdb olcAccess But I'm a little concerned that I'm not able to properly use the admin user to make LDAP changes to the configuration. It also seems like the Server Guide ought to use the 'sudo ... -Y EXTERNAL' form of the commands throughout if cn=admin,cn=config isn't going to work.
I just wanted to checkout samba. So, I installed on a CentOS 5.5 64bit server. The version I used is 3.5.6. I followed this guide. [URL]. LDAP is working good. When I use the following command: (net groupmap list) I am getting the error.
Code: [root@server1 samba]# net groupmap list [2010/10/26 16:26:09.135901, 0] lib/smbldap.c:1151(smbldap_connect_system) failed to bind to server ldap://127.0.0.1 / with dn="cn=root,dc=mtm,dc=testdomain,dc=com" Error: Invalid credentials
[2010/10/26 16:26:39.180063, 0] passdb/pdb_ldap.c:3448(ldapsam_setsamgrent) ldapsam_setsamgrent: LDAP search failed: Time limit exceeded [2010/10/26 16:26:39.180109, 0] passdb/pdb_ldap.c:3523(ldapsam_enum_group_mapping) ldapsam_enum_group_mapping: Unable to open passdb I am sure that I have set the correct password in Code: smbpassword -w mypassword. Also, I can login to the LDAP thourgh PHPLDAPAdmin with the same password and the bind cn.
Here is my smb.conf Code: # Global parameters [global] ldap ssl = off nt acl support = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE workgroup = TESTDOMAIN netbios name = SERVER1 security = user enable privileges = yes #interfaces = 192.168.5.11 #username map = /etc/samba/smbusers server string = Samba Server %v #security = ads encrypt passwords = Yes #min passwd length = 3 #pam password change = no #obey pam restrictions = No
# method 2: unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = "Changing * New password*" %n "*Retype new password*" %n "
log level = 10 syslog = 0 log file = /var/log/samba/log.%U max log size = 50 time server = Yes #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1
logon script = logon.bat logon drive = H: logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=root,dc=mtm,dc=testdomain,dc=c om #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=c om ldap suffix = dc=mtm,dc=testdomain,dc=c om ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers #ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m "%u" #ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
# printers configuration #printer admin = @"Print Operators" load printers = Yes create mask = 0640 directory mask = 0750 #force create mode = 0640 #force directory mode = 0750 #nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no
[netlogon] path = /home/netlogon/ browseable = No read only = yes
[profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles #force user = %U # next line allows administrator to access all profiles #valid users = %U "Domain Admins"
I was reading over and checking the How to section on the Wiki for Postfix TLS / SASL. I followed it completely and everything seems to be working fine however I am confused about the following section:
smtpd_tls_security_level = may smtpd_tls_key_file = /etc/pki/tls/private/mail.example.com.key smtpd_tls_cert_file = /etc/pki/tls/certs/mail.example.com.cert[code].....
Anyone out there having expirience with iFolder. I've used the following tutorial: [URL] to install it. I used libflaim as a database (no LDAP). All web interfaces work well (admin, ifolder). I can create users and make folders. But when I try to login with a desktop client (windows or linux) I get an error message invalid credentials and this message in Simias.log:
I am setting up a LDAP server in Fedora 13 system. I did the installation of the packages of openldap-server, openldap-client and openldap-server-sql (beause I may use sql as backend, install first). However, when I did the setup check by command: dapadd -f stooges.ldif -xv -D "cn=StoogeAmin,o=stooges" -h 127.0.0.1 -w secret1
and always says: ldap_bind: Invalid credentials (49) I am using slapd.conf for test as below. I did check the password are same.
I installed openLdap on a debian machine for some testing. I followed the instructions here. [URL] Now when I try to do any thing it prompt me for password Which I do remember correctly. However it comes back with error.
Code:
~# ldapsearch cn=admin SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
i am trying to run bind in centos 6 and bind keeps giving me errors every time i check all of the configurations. the named.conf file works fine but the zone files keep giving me errors heres the contents of my named.conf file
Am running the latest CentOS5 with Bind. Bind will run for a period(time period unknown) the shutsdoown. We need to every day start the service. When the service starts there are no errors given.
I had centos 5-5 server with 6G of RAM and 4 core cpu 3GHZ i installed bind 9.7.1-p2 on my server with multi thread support there are a lot of dns requests on my server , about 2500 Packets/sec and 3Mbit UDP traffic but my server response week to most of them.
For example when i use nslookup or dig command to query Yahoo.com the response from server maybe deliver about 5 Sec or become timed out , but sometimes response time less than 1 sec!
I don't know why, perhaps kernel works week so i decided to do the following :
But the problem didn't solved
I previously had Freebsd with same version of bind and same configuration and everything worked fine.
don't find box of BIND so i was posting into this boxI have some problem when i config bind DNS for my domain and then i can't start named,this's error message
[root@server1 named]# service named restart Stopping named: [ OK ] Starting named:
I installed BIND 9.7.3 from source on Centos 5.5, and chrooted it, and I'm getting an error when I run 'service named status' I get a reply, but at the end it says 'named dead but pid file exists'
Here's the entire output:
[root@ns etc]# service named status version: 9.7.3 number of zones: 23 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named dead but pid file exists Nothing is logged in /var/log/messages. Named is running and responding correctly. How can I get rid of this error?
i have xp and virtual guest centos 5.i install apache, bind, squid and webmin through xp, i can access URL...but when i start my squid, put the ip in the browser proxy settings, when i logon its ip turn to URL...I believe my bind is working. Though theres some little glitch. I dont know where.and i already put my servers bind ip to my winxp primary dns server settings.
I can't get the client server to authenticate to the openldap server. I can authenticate on the server itself though. I can su to, login and shh into the openldap server and become a ldap user. I just can't become an ldap user on the client.I didn't setup TLS/SSL. I can do that after I have it working. I'm using hashed passwords though. I don't have replication setup. I'm am tying to setup the most basic openldap environment then build from there. I have read the openldap section in the admin guide.
My setup at home.
Openldap server � light.deathnote.net -- 10.0.1.21 client server � vm-centos01.deathnote.net � 10.0.1.7 -- VM on virtualbox Virtualbox host � L (OS MAC) � 10.0.1.2 router (apple airport extreme) / default gatway � 10.0.1.1
All computer can reach the internet and ping each other. When I installed centos I disabled SELinux.I used these guids to setup my openldap.
[URL]
Below I have included some output from the files I'm using with openldap.
[root@vm-centos01 ~]# tail /var/log/messages Jul 2 09:25:33 vm-centos01 xfs: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://light.deathnote.net: Can't contact LDAP server Jul 2 09:25:49 vm-centos01 xfs: nss_ldap: failed to bind to LDAP server ldap://10.0.1.21/: Can't contact LDAP server
I have setup two BIND9 servers as slaves for an internal Windows domain. I receive messages in my logs about a Windows server not being the master for the slave domain on BIND. I have placed the allow-notify statement in the global options section of named.conf, as well as setting the IP address in the masters section of the zone. I'm confused as to why I'm still getting this error message.
I've been looking for a good tutorial for setting up a BIND DNS server for my local network. What I want to do is..Have BIND running on my home server receiving all DNS requests.Have certain zones (my.zone.lan) pointing to custom IP addresses (I.E. server.lan points to 192.168.{server IP})Zones that don't exist should be passed on to OpenDNS for processing.
Don't work nslookup from clients guest OS.I have LinuxMint 7 and I'm installed VirtualBox on her. I created three guests OS. Two CentOS and XP
Name The first CentOS linux1.starline.ca The second CentOS centos.starline.ca The third XP xp2.starline.ca[code].....
On the clients guest OS nslookup don't work. It write : timed out; no servers could be reached .What is going on? Why nslookup don't work from clients guest OS?On client machine in the file /etc/resolv.conf have record ameserver 168.135.88.2
I have installed bind with yum install bind bind-chroot.I am having query timeouts due to no ipv6 connectivity.Is there a way to re-compile and not loose the chroot structure?Or is there another way to disable ipv6 lookups?Example of issue resulting in ipv4 query timeout:
30-Dec-2010 17:52:03.226 client x.x.x.x#53593: view internal: query: paypal.com.cms.local IN A + 30-Dec-2010 17:52:03.227 client x.x.x.x#53594: view internal: query: paypal.com.cms.local IN AAAA + 30-Dec-2010 17:52:03.228 client x.x.x.x#53595: view internal: query: paypal.com IN A +
I installed bind & did not install chroot. I set up a fictional domain kelly.local. I am able to resolve FQDN (example: angus.kelly.local) in both dig & nslookup & ping on linux boxes.
I want to be able to resolve bare host names (example: angus) using bind. I get mixed results.
(1) linux boxes resolve bare host names & FQDNs just fine using nslookup & ping, but not dig. dig gives error:
I have updated bind using yum on a Centos 5.3 server, after restarting, I have this error now. Error in named configuration: zone localhost/IN: loaded serial 42 /var/named/mydomain.hosts:20: unknown RR type 'SPF' My version of is : bind.x86_64 30:9.3.6-16.P1.el5
