Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie


computers / comp.protocols.kerberos / Re: Kerberos through loadbalancer

SubjectAuthor
o Re: Kerberos through loadbalancerStefan Kania

1
Subject: Re: Kerberos through loadbalancer
From: Stefan Kania
Newsgroups: comp.protocols.kerberos
Organization: Stefan Kania
Date: Fri, 20 May 2022 08:33 UTC
References: 1 2
Attachments: smime.p7s (application/pkcs7-signature)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ste...@kania-online.de (Stefan Kania)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberos through loadbalancer
Date: Fri, 20 May 2022 10:33:41 +0200
Organization: Stefan Kania
Lines: 135
Message-ID: <mailman.69.1653035640.8148.kerberos@mit.edu>
References: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
<644c34d0-1fb5-2ed3-dd66-54f767983ab8@kania-online.de>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms070606060200000801040701"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="516"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: <kerberos@mit.edu>
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=kania-online.de
Authentication-Results: mit.edu; arc=fail
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1653035639; cv=fail;
b=rGnhkFAbWHZfTXId/Ej2knguuL2pcQ1q/gIzR0U5JgTgmNRUxG9FhGSYLlpXB9k5/+r+LopcV1i4090PnENL5jmHCl7eiA9oI8nPZv0c4Jkzzysu3GuknCrpuy14/fxK7c8R218SoOXT6Sn+uaVhpax6gEOrW2UJiEnbZcwOrWw4jdJOgOzrCWkQVvwCxfAeF9Tve4ufrYBLGQv1Vr+EvX5t1LePuKqAv0T0hYUZZyiT6Qe3c4etIunVFbKxvqbkz+wk6Tp4SmvlOT7+4XzgW26A31KCkZgw7KxG4WCvOwPoxP37LszX8VlERVXTZdWJL2tnLdZBm0XdrXQcdCGnFg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1653035639;
c=relaxed/relaxed; bh=BL33ZI2Q0kZzJ5gE9309bNIXvUNqgk+vEoC36Xn5Ux0=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=cUbkVrbA96JtMaGyc1Bl3TnP/W24ES0LjmqrkQu1JoCeV98C/Q5mqz1jWOaimmaeMvUyOKhPoB7L1bE+x9oXnCgfhEO665qT6UWH4/0wuWO9mNfo05HGwWN3qywqMFQGzHZgQwcwYXTX92sJl11VgieEYtr2MfDT7pfdSnycac2Yrb44eEMyQNgKJrQ9rsB5xn2K6Ly5dGlaLUEQIAq82g8auDTRzXcBfscKWfHFfCLsTtfGNlQDzoTRsWy5OgBAIG67nowtSQhgn0ikj/NQHWlVoWy2Jt1uuZn11rm+2LPnMLDVzju2jzcLnddE8qNdQLzvN1Ed1Ckvkx92e8xNPg==
ARC-Authentication-Results: i=2; mit.edu; dkim=fail (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=EctKLZia reason="signature verification failed"; arc=fail
Authentication-Results: mit.edu;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=EctKLZia
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=MoqjeRC88vBzrkGUr6TTJXMRatSg3V8UDklhcAT4xZnXFuJACgmmHu7k5Jc/pZVOYbsOaXj1H89G9iLGsK/QaWcL6SEvLYKBnJHGkLT/Q7rzQ2aO/URkwUkjVbymbs6XESAOKBWQ8p3t7r8wiwSgI16/aemqHhOE9cVfAHKGaHFyFnTAf1kFaEaFzLmC/HOlsUNWOtCDLe2PDzCpLl4tGgrGwrglA4kb6I3TnqGdBaeeq3EgPJp6X5g4rSW2RIugbkBAyx8BwhUWs4n1mB3rZ3fswqnekfyokdpXzqYKcJM05eePfdNu/75x4EnrIyslciNIbRzXsODkbxbXVK+V4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=KTO8X59uwcEr5TW/vJFtFK9UjZZOta+SnWMDmLcOHXg=;
b=RE4Cz4wUYmlXwRE/NIrQ7g+NlnTYUPY+YZw/B0qSjc4U9xwukW58oM7OZsIXA8k+yOa4qv3Z2TA9EA3b9VgDCSICkHCNPGj146sgiiWCxP3QilHUgSbU0JNNjQ1wOS0O5/DbklyIrJI6fZh+WQy0bPuhGxvzNCinC0WVoWIr3FFMINTdZjGGeZxBEgizXbCUvirla2baQJs1+YNxBDhsCq3Hi3ZR+uanCAvA/wSFiQa/SN4AAd4KzNX8972bHVTGCzY28f9rKA41nAOm9llFhqTPh3AMC/eexBi5rjHTulbNv5nzlg7hQl56FBCWy9U7hOaLhO/gXTx8apyKHSUzDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
80.241.58.36) smtp.rcpttodomain=mit.edu smtp.mailfrom=kania-online.de;
dmarc=bestguesspass action=none header.from=kania-online.de; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=KTO8X59uwcEr5TW/vJFtFK9UjZZOta+SnWMDmLcOHXg=;
b=EctKLZiaVnOQTXimiPrQLAkrLoxOHhSCMXNKFuJxC0wVBOICKntg6s9Aywf2qCIt/JknTPwEHKuvz8XmKut/Zcf1ATFnNgm4KRL7Cvi0S3VHET1FvQOLnIQh2tnQAd5Wu2PcEi8D2/rDah2+5kkomr/BFsD6Qyh6B6xDXEvQu24=
Authentication-Results: spf=pass (sender IP is 80.241.58.36)
smtp.mailfrom=kania-online.de; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=kania-online.de;
Received-SPF: Pass (protection.outlook.com: domain of kania-online.de
designates 80.241.58.36 as permitted sender) receiver=protection.outlook.com;
client-ip=80.241.58.36; helo=plasma5.jpberlin.de; pr=C
Content-Language: de-DE
In-Reply-To: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 027fd69a-c5bc-4540-9258-08da3a3b74d8
X-MS-TrafficTypeDiagnostic: BY5PR01MB5731:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BY5PR01MB5731F587EBDA2B3B1CB216B990D39@BY5PR01MB5731.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 4hlgh1elHUcrBEFdnDwRCy072aOZb8qvyfVdKMqGTtcesSDJdyu/DoI/8Be+pkReuEQMd+eeYn5GtRj05YmbmpcrO+1XRS0ihpQkwU87s7BfFtD5KlxEfRrtso+HJhOuidg7rRdrWEPf52O2Se2uyTJjy80+RyusjezpSnOSQWLhSR+mb5fniVOJSdqbxK7ZBfSvyWwG0UKSwoZ60//dDrfI2G9v1Zm+lKCSYijLH4laZWvCi/Zrt9PFIDA47GyNskzXbeQZ7GPT3KZgaI6wFAvsEHMBi3ApMD/EACL0FNpO2a0/GXEFYc+6z+He+1qHuexC4FObhFhNNRJf/gG/K9aChkAE2lRwCRivBlP5w/ZIVvH3ZK1yb+KJHaJ4tLStwKwO9pKCla4fwzyXpFcpiTT4bKIUAFVzEQ9JQ6l3GInsTRL4cX7++G3i9bY/o3FXObPE0pqZW5xvxbimXmH7k/2RignvDNVcWCLTNpaqYsaYRtRdCXIdZBR7HjnrhGYQEtqLKRqFlYSQXr+FFptTRrGyQ6OOmZu8NgTR79AGLsThJvWzA17d6kBWuYKNTToBVHpeBeiRkoLgBYXo6CjUUvrXxKXy7hFdO/rmHpu7lHBx4drkXnOaibbsap9rC70rFptC4E0MtM6BpDp4JNmmqQyXFYjUfaMBzMDbKLKbPpJWyqzu0aTqYBLgDZNfnGPV6Lw1mnc3PeIwt3e4Kcx3oQ==
X-Forefront-Antispam-Report: CIP:80.241.58.36; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:plasma5.jpberlin.de; PTR:plasma5.jpberlin.de; CAT:NONE;
SFS:(13230001)(4636009)(70586007)(235185007)(31686004)(8676002)(68406010)(7116003)(2616005)(316002)(86362001)(36756003)(966005)(508600001)(6966003)(34206002)(2906002)(786003)(5660300002)(6266002)(7636003)(356005)(26005)(3480700007)(7596003)(336012)(83380400001)(31696002)(956004)(33964004)(36916002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2022 08:33:46.1365 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 027fd69a-c5bc-4540-9258-08da3a3b74d8
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT031.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR01MB5731
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <644c34d0-1fb5-2ed3-dd66-54f767983ab8@kania-online.de>
X-Mailman-Original-References: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
View all headers
Here the messages we get using ldapsearch on one of the consumers:
---------------
ldapsearch -H ldaps://ldap.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
    additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context


$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: search-repl@

Valid starting       Expires              Service principal
05/20/2022 09:46:35  05/20/2022 19:46:35  krbtgt/DE@DE
    renew until 05/21/2022 09:46:35
05/20/2022 09:46:50  05/20/2022 19:46:35  ldap/consumer01@DE
    renew until 05/21/2022 09:46:35
05/20/2022 09:47:07  05/20/2022 19:46:35  ldap/ldap1@DE
    renew until 05/21/2022 09:46:35
05/20/2022 09:47:24  05/20/2022 19:46:35  ldap/ldap@DE
    renew until 05/21/2022 09:46:35

---------------
As you can see we get the ticket for ldap.

Stefan

Am 20.05.22 um 09:41 schrieb Stefan Kania:
Hi to all,

we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the
providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the
providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a
host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(. In the log of the
provider we see that the consumer connects. ldaps is working. But
kerberos failed with the following messages:
--------------------
SASL [conn=5032] Failure: GSSAPI Error:  Miscellaneous failure (see
text) (Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)

slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028
etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

--------------------
The same user we are using works without using the loadbalancer. If our
solution is wrong, what would be the right way to use a loadbalancer
together with kerberos?

Stefan




________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos







Attachments: smime.p7s (application/pkcs7-signature)
1
rocksolid light 0.7.2
clearneti2ptor