[python-ldap] Is it possible to bind using a kerberos keytab

Kev SMITH kev.smith at uk.bnpparibas.com
Tue Dec 30 13:43:56 CET 2014 

Rob/Michael

Thanks for your replies this far.

Some more info which will assist in this challenge...

(a) Kerberos environment is provided by centrify.com and it's 'server suite standard edition'

1. Kerberos V5 keytab auth is working fine outside of python ldap 

# klist -fae
klist: No credentials cache found (ticket cache KCM:0)
root at buddy:/home/kev# /usr/share/centrifydc/bin/ldapsearch -YGSSAPI -Q -H ldap://buddy.com -b "dc=com, dc=buddy" "(&(objectclass=user)(displayname=BUDDYSVCA))"
ldap_sasl_interactive_bind_s: unknown LDAP result code (-50)
        additional info: SASL(-1): generic failure:

# /usr/share/centrifydc/kerberos/bin/kinit -kt /etc/buddy.keytab SVC.UX.BUDDY
# klist -fae
Ticket cache: KCM:0
Default principal: SVC.UX.BUDDY at BUDDY.COM

Valid starting     Expires            Service principal
12/30/14 12:07:21  12/30/14 22:07:21  krbtgt/BUDDY.COM at BUDDY.COM
        renew until 12/31/14 12:07:21, Flags: RIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
        Addresses: (none)
# /usr/share/centrifydc/bin/ldapsearch -YGSSAPI -Q -LLL -H ldap://buddy.com -b "dc=buddy,dc=com" "(&(objectclass=user)(displayname= SVC.UX.BUDDY))"
dn: CN= SVC.UX.BUDDY,OU=XX,OU=XX,OU=XX,OU=XX,DC=buddy,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user

<snip>

2. I took Rob's test script and ran it through python interactive

Python 2.6.6 (r266:84292, Nov 21 2013, 10:50:32)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap, ldap.sasl, subprocess, sys
>>> kinit = '/usr/share/centrifydc/kerberos/bin/kinit'
>>> kinitopt = '-kt'
>>> keytab = '/etc/buddy.keytab'
>>> svca = 'SVC.UX.BUDDY'
>>>
>>> kinit_args = [ kinit, kinitopt, keytab, svca ]
>>> kinit = subprocess.Popen(kinit_args)
>>> output,error = kinit.communicate()
>>> print output
None
>>> print error
None
>>> adconn = ldap.initialize('ldap://buddy.com',trace_level=1)
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7eff762021b8> ldap://buddy.com - SimpleLDAPObject.set_option
((17, 3), {})
>>> ldap.set_option(ldap.OPT_REFERRALS, 1)
>>> ldap.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
>>> auth_tokens = ldap.sasl.gssapi()
>>> adconn.sasl_interactive_bind_s('', auth_tokens)
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7eff762021b8> ldap://buddy.comn - SimpleLDAPObject.sasl_interactive_bind_s
(('', <ldap.sasl.gssapi instance at 0x7eff76202e60>, None, None, 2), {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)', 'desc': 'Local error'}
>>> from subprocess import call
>>> call(['/usr/share/centrifydc/kerberos/bin/klist','-fae'])
Ticket cache: KCM:0
Default principal: SVC.UX.BUDDY at BUDDY.COM

Valid starting     Expires            Service principal
12/30/14 11:57:42  12/30/14 21:57:42  krbtgt/BUDDY.COM at BUDDY.COM
        renew until 12/31/14 11:57:42, Flags: RIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
        Addresses: (none)
0
>>> adconn.sasl_interactive_bind_s('', auth_tokens)
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7eff762021b8> ldap://euro.net.intra - SimpleLDAPObject.sasl_interactive_bind_s
(('', <ldap.sasl.gssapi instance at 0x7eff76202e60>, None, None, 2), {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)', 'desc': 'Local error'}
>>>

So - as you can see in example (1) the GSSAPI layer/keytab authentication appears to be working. However in example (2) the python ldap sasl_interactive_bind_s is failing even though there is a valid ticket.
Is it possible the python-ldap [2.4.18] does not support KCM [Kerberos V5 in memory tickets] or requires rebuilding against the centrify Kerberos LIB's 

My end goal is to be able to use python-ldap [2.4.18] to bind using SASL/keytabs with Microsoft AD running on Windows 2003 so that I can read and [eventually] write data - However - Rob's previous comments saying he never got it to work concerns me.

Any other pointers/ideas?

Kev

-----Original Message-----
From: michael at stroeder.com [mailto:michael at stroeder.com] 
Sent: 25 December 2014 11:35
To: mailinglist0 at skurfer.com; Kev SMITH
Cc: python-ldap at python.org
Subject: Re: [python-ldap] Is it possible to bind using a kerberos keytab

Rob McBroom wrote:
> On 23 Dec 2014, at 11:23, Kev SMITH wrote:
> 
>> I am trying to bind to windows 2003 AD using a keytab - my code successfully
>> initialises the keytab, the ldap options but I just can not seem to get the
>> bind to work using a keytab.
>> Is this type of authentication supported?
> 
> Yes. I used to use it all the time, and while it would work with something
> like MIT Kerberos, I could never get it to work against AD. (We were on 2008.
> You might have better luck with 2003.)

I can confirm that this simply works provided your Kerberos setup in correct
at client and server side. With MS AD you have to carefully examine DNS
entries. Most times bad DNS entries are the culprit for non-functional Kerberos.

>     auth_tokens = ldap.sasl.gssapi()
>     adconn.sasl_interactive_bind_s('', auth_tokens)
> 
> That will use an existing Kerberos ticket. (Don't ask me how, because the
> `auth_tokens` object is identical with or without a ticket.)

Mainly the SASL library does all the magic under the hood if you have the
GSSAPI SASL plugin module installed.

Ciao, Michael.


___________________________________________________________
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited.

Please refer to http://www.bnpparibas.co.uk/en/email-disclaimer/ for additional disclosures.

More information about the python-ldap mailing list