SiNotes-Grid
Sunday, April 23, 2006
Cyrus SASL installation
References:
http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/cyrus-sasl.html
http://mah.everybody.org/docs/sasl-gssapi/
http://www.bayour.com/LDAPv3-HOWTO.html
1.Download Cyrus SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
The current release is "cyrus-sasl-2.1.21.tar.gz"
2.Unpack the downloaded file. Because I only wanna use gssapi(Kerberos V5) mechanism,so it's good idea to disable other mechnisams. Config it using,
./configure --prefix=/usr/local/cyrus-SASL --enable-gssapi --with-gss_impl=mit --disable-cram --disable-digest --disable-otp
3. make
4.make install
At the end of installation, you will see following message:
* WARNING:
* Plugins are being installed into /usr/local/cyrus-SASL/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/cyrus-SASL/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
Cyrus-SASL will look for the lib files in /usr/lib/sasl2 by defualt, therefore it's important to copy lib files from /usr/local/cyrus-SASL/lib/sasl2 to /usr/lib/sasl2. The simplest way is create a link in /usr/lib/
ln -s /usr/local/cyrus-SASL/lib/sasl2 .
*If you found /usr/lib/sasl2 already exist b4 the installation, make sure to delete it!
To Test the installtion of SASL, we canuse Sample-Server/Client programs, which are located in the sample directory of cyrus-SASL source code. Because they are not compiled by default, manully compiling is necesssary, in /home/synew/download/cyrus-SASL/sample/ , use
make sample-server
make sample-client
*Important*
Before the test, configure the /etc/hosts and /etc/sysconfig/network as follow if you havn't.
*********/etc/hosts*************************
127.0.0.1 localhost.localdomain localhost
163.1.26.6 ktang.ierc.ox.ac.uk ktang
**********/etc/sysconfig/network*************
NETWORKING=yes
HOSTNAME=ktang.ierc.ox.ac.uk
********************************************
1. create " ktang/admin" as a administor(or user) for kerboeros database, more details about kerberos setup is available in my another post.
2. #kinit ktang/admin
this will get a ticket from kerberos server for user "ktang/admin", which will be stored in your temporary credensial cache(usually /tmp). You can use "klist" to check the information of the ticket cache, and use "kdestroy" to delete all information in the cache.
3, To use sample server/client, in addition to the user principal, a service principal is also required. Suppose we wanna add a new service named as "ldap" on host"ktang.ierc.ox.ac.uk", Use /usr/local/kerberos5/sbin/kadmin.local programm:
#
kadmin.local
listprincs
ank -randkey ldap/ktang.ierc.ox.ac.uk (create a host principal)
ktadd ldap/ktang.ierc.ox.ac.uk(generate a key for the principal and stored in /etc/krb5.keystab)
quit
Now we can start sample server/client to do the test:
In on session,
./sample-server -s ldap -p ../plugins/.libs
In another session,
./sample-client -s ldap -n ktang.ierc.ox.ac.uk -u ktang/admin -p ../plugins/.libs
Copy output from them around untill the "negoration complete" is displayed.
*********Possbile problems********************
1)DIGEST-MD5, instead of GSSAPI is selected, although GSSAPI is listed by the server.
*Because GSSAPI is stronger encrypt mechanism than DIGEST-MD5, so it should be choosed as best mechanism. This means there is sth wrong with GSSAPI mechanism,which makes it have to choose DIGEST-MD5. If we reconfigure cyrus-sasl without other mechanisms
such as digest-md5, gssapi will unavoidly be selected,but you will see some errors saying GSSAPI negorations failure etc if the server have error with it.
(you can re-configure SASL using:
./configure --prefix=/usr/local/cyrus-SASL --disable-cram --disable-digest --disable-otp --enable-gssapi --with-gss_impl=mit)
2)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (key version number mismatched)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
* Use "klist -k /usr/krb5.keytab" and "kvno ldap/ktang.ierc.ox.ac.uk" to check whether key version numbers of the service
you are interested in are matched.Everytime you use kadmin(ktadd) add a new key, kvno will increase by 1.
More details in http://www.bayour.com/LDAPv3-HOWTO.html
3)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
*Make sure you have created the key to the correct keytab file. The default keytab from where KDC will look for principals is
/etc/krb5.keytab. Use klist -k /etc/krb5.keytab to check the keys you added.
4)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
*To avoid this error happen, make sure to use "kdestroy" to get rid of any old cached tickets by using kdestroy,
otherwise the various Kerberos programs will continue to use an old ticket encrypted with the wrong encryption key.
More details in http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
5) In client side, if see the following:
............
recieved 153 byte message
C:
Waiting for server reply...
*It is *NOT* an error! what you should do is copy C: to server side.Note, there's a space after C:!
Reference:http://www.irbs.net/internet/cyrus-sasl/0506/0050.html
http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/cyrus-sasl.html
http://mah.everybody.org/docs/sasl-gssapi/
http://www.bayour.com/LDAPv3-HOWTO.html
1.Download Cyrus SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
The current release is "cyrus-sasl-2.1.21.tar.gz"
2.Unpack the downloaded file. Because I only wanna use gssapi(Kerberos V5) mechanism,so it's good idea to disable other mechnisams. Config it using,
./configure --prefix=/usr/local/cyrus-SASL --enable-gssapi --with-gss_impl=mit --disable-cram --disable-digest --disable-otp
3. make
4.make install
At the end of installation, you will see following message:
* WARNING:
* Plugins are being installed into /usr/local/cyrus-SASL/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/cyrus-SASL/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
Cyrus-SASL will look for the lib files in /usr/lib/sasl2 by defualt, therefore it's important to copy lib files from /usr/local/cyrus-SASL/lib/sasl2 to /usr/lib/sasl2. The simplest way is create a link in /usr/lib/
ln -s /usr/local/cyrus-SASL/lib/sasl2 .
*If you found /usr/lib/sasl2 already exist b4 the installation, make sure to delete it!
To Test the installtion of SASL, we canuse Sample-Server/Client programs, which are located in the sample directory of cyrus-SASL source code. Because they are not compiled by default, manully compiling is necesssary, in /home/synew/download/cyrus-SASL/sample/ , use
make sample-server
make sample-client
*Important*
Before the test, configure the /etc/hosts and /etc/sysconfig/network as follow if you havn't.
*********/etc/hosts*************************
127.0.0.1 localhost.localdomain localhost
163.1.26.6 ktang.ierc.ox.ac.uk ktang
**********/etc/sysconfig/network*************
NETWORKING=yes
HOSTNAME=ktang.ierc.ox.ac.uk
********************************************
1. create " ktang/admin" as a administor(or user) for kerboeros database, more details about kerberos setup is available in my another post.
2. #kinit ktang/admin
this will get a ticket from kerberos server for user "ktang/admin", which will be stored in your temporary credensial cache(usually /tmp). You can use "klist" to check the information of the ticket cache, and use "kdestroy" to delete all information in the cache.
3, To use sample server/client, in addition to the user principal, a service principal is also required. Suppose we wanna add a new service named as "ldap" on host"ktang.ierc.ox.ac.uk", Use /usr/local/kerberos5/sbin/kadmin.local programm:
#
kadmin.local
listprincs
ank -randkey ldap/ktang.ierc.ox.ac.uk (create a host principal)
ktadd ldap/ktang.ierc.ox.ac.uk(generate a key for the principal and stored in /etc/krb5.keystab)
quit
Now we can start sample server/client to do the test:
In on session,
./sample-server -s ldap -p ../plugins/.libs
In another session,
./sample-client -s ldap -n ktang.ierc.ox.ac.uk -u ktang/admin -p ../plugins/.libs
Copy output from them around untill the "negoration complete" is displayed.
*********Possbile problems********************
1)DIGEST-MD5, instead of GSSAPI is selected, although GSSAPI is listed by the server.
*Because GSSAPI is stronger encrypt mechanism than DIGEST-MD5, so it should be choosed as best mechanism. This means there is sth wrong with GSSAPI mechanism,which makes it have to choose DIGEST-MD5. If we reconfigure cyrus-sasl without other mechanisms
such as digest-md5, gssapi will unavoidly be selected,but you will see some errors saying GSSAPI negorations failure etc if the server have error with it.
(you can re-configure SASL using:
./configure --prefix=/usr/local/cyrus-SASL --disable-cram --disable-digest --disable-otp --enable-gssapi --with-gss_impl=mit)
2)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (key version number mismatched)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
* Use "klist -k /usr/krb5.keytab" and "kvno ldap/ktang.ierc.ox.ac.uk" to check whether key version numbers of the service
you are interested in are matched.Everytime you use kadmin(ktadd) add a new key, kvno will increase by 1.
More details in http://www.bayour.com/LDAPv3-HOWTO.html
3)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
*Make sure you have created the key to the correct keytab file. The default keytab from where KDC will look for principals is
/etc/krb5.keytab. Use klist -k /etc/krb5.keytab to check the keys you added.
4)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
*To avoid this error happen, make sure to use "kdestroy" to get rid of any old cached tickets by using kdestroy,
otherwise the various Kerberos programs will continue to use an old ticket encrypted with the wrong encryption key.
More details in http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
5) In client side, if see the following:
............
recieved 153 byte message
C:
Waiting for server reply...
*It is *NOT* an error! what you should do is copy C: to server side.Note, there's a space after C:!
Reference:http://www.irbs.net/internet/cyrus-sasl/0506/0050.html
posted by Synew # 6:11 PM 
Archives
