Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

saslBindTokenExchange failing with invalid Credentials Error #525

Open
chapcoder opened this issue Aug 13, 2024 · 4 comments
Open

saslBindTokenExchange failing with invalid Credentials Error #525

chapcoder opened this issue Aug 13, 2024 · 4 comments

Comments

@chapcoder
Copy link

I am trying to perform the gssapi bind using go-ldap library.
I followed below steps
1)create the keytab with ktpass command
ktpass /princ ldap/[email protected] /mapuser serv_acc /pass Welcome1! /out C:\Users\Administrator\Documents\test.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
2)After keytab generated, i copied in some path in the client machine and also i have configured the krb5.ini in C:\WIndows path.
3)in the code while creating the gssapi client i have provided the spn name which i have used during the keytab generation
customclient, _ := gssapi.NewClientWithKeytab("ldap/serv_acc-AD", "EXAMPLE.LOCAL", "C:\Users\MyName\Downloads\test.keytab", "C:\Windows\krb5.ini", client.DisablePAFXFAST(true))
and also i have passed the same spn in the below function
err = l.GSSAPIBind(customclient, "ldap/serv_acc-AD", "")

Now the issue is token is succesfully getting generated using the function
(https://github.com/go-ldap/ldap/blob/master/v3/bind.go#L627), but after when it calls the https://github.com/go-ldap/ldap/blob/master/v3/bind.go#L640 its failing with error "LDAP Result Code 49 "Invalid Credentials": 8009030C: LdapErr: DSID-0C09070F, comment: AcceptSecurityContext error, data 52e, v4563 ".
I am not sure what is wrong value here not able to figure out . can any one help on this?

also when i tried to check the content of keytab generation using command ktab -l -e -t -k "C:\Users\MyName\Downloads\test.keytab"

Keytab name: C:\Users\MyName\Downloads\test.keytab
KVNO Timestamp Principal


10 1/1/70, 2:00?AM ldap/[email protected] (18:AES256 CTS mode with HMAC SHA1-96)

@peschu123
Copy link

I don't know if my problem is related, but I also get an Error with Invalid Credentials, even though my case is a bit different. I want to use the credentials of the currently logged-in users.

The error i get:
error performing GSSAPI bind: LDAP Result Code 49 "Invalid Credentials": 80090346: LdapErr: DSID-0C0906AB, comment: AcceptSecurityContext error, data 80090346, v4f7c

I use the code from #402 (only difference is that I use ldaps and port 636 instead of ldap) to connect from windows 10 to an active directory server (most probably server 2022). I also tried to create a client with gssapi.NewSSPIClientWithUserCredentials() but the result stays the same. I can't figure out whats wrong. I already checked my configuration over and over. Compared it with klist tickets and purged all existing tickets. I also checked with setspn -Q */dc01.mydomain.com that it is available.

From the same machine I can connect with tools like ldap admin (using kerberos) without any problems.
After looking through the functions I found the conn.debug() but it does't not help me a lot.

Here is the complete debug output

2024/08/24 16:17:00 flags&startTLS = 0
2024/08/24 16:17:00 1: waiting for response
2024/08/24 16:17:00 Sending message 1
2024/08/24 16:17:00 Receiving message 1
2024/08/24 16:17:00 1: got response 0xc00010f3b0
LDAP Response: (Universal, Constructed, Sequence and Sequence of) Len=105 "<nil>" 
 Message ID: (Universal, Primitive, Integer) Len=1 "1"
 Bind Response: (Application, Constructed, 0x01) Len=100 "<nil>"
  Result Code (Invalid Credentials): (Universal, Primitive, Enumerated) Len=1 "49"
  Matched DN (): (Universal, Primitive, Octet String) Len=0 ""
  Error Message: (Universal, Primitive, Octet String) Len=93 "80090346: LdapErr: DSID-0C0906AB, comment: AcceptSecurityContext error, data 80090346, v4f7c\x00"
2024/08/24 16:17:00 1: got response 0xc00010f3b0
LDAP Response: (Universal, Constructed, Sequence and Sequence of) Len=105 "<nil>"
 Message ID: (Universal, Primitive, Integer) Len=1 "1"
 Bind Response: (Application, Constructed, 0x01) Len=100 "<nil>"
  Result Code (Invalid Credentials): (Universal, Primitive, Enumerated) Len=1 "49"
  Matched DN (): (Universal, Primitive, Octet String) Len=0 ""
  Error Message: (Universal, Primitive, Octet String) Len=93 "80090346: LdapErr: DSID-0C0906AB, comment: AcceptSecurityContext error, data 80090346, v4f7c\x00"
2024/08/24 16:17:00 Finished message 1
2024/08/24 16:17:00 error performing GSSAPI bind: LDAP Result Code 49 "Invalid Credentials": 80090346: LdapErr: DSID-0C0906AB, comment: AcceptSecurityContext error, data 80090346, v4f7c

Chances are high that I do something stupid, but I would be glad for any pointers how to solve/debug this further. I mean it takes the credentials of the logged in user ... that should just work ;-)

thanks in advance

@FlipB
Copy link
Contributor

FlipB commented Oct 22, 2024

This error

2024/08/24 16:17:00 error performing GSSAPI bind: LDAP Result Code 49 "Invalid Credentials": 80090346: LdapErr: DSID-0C0906AB, comment: AcceptSecurityContext error, data 80090346, v4f7c

may be an indication that TLS channel binding is required for that AD server (I'm basing this only on this post https://answers.microsoft.com/en-us/windowserver/forum/all/unable-to-connect-to-active-directory-using-java/56313281-bf37-47ef-be43-e77bf470b053).

Some background about channel binding: https://ldapwiki.com/wiki/Wiki.jsp?page=Channel%20Binding

@p0dalirius
Copy link

Hey @FlipB, @chapcoder, @peschu123,

It seems that I have the same problem as yours. I wrote a minimum working example of go-ldap Kerberos authentication and always get LDAP Result Code 49 "Invalid Credentials" with credentials that works on other protocols.

It seems there is a problem with SASL authentication in go-ldap?

If you want to play around with the code, it is in issue #536

Best regards,

@andy-igoshin
Copy link

It seems that I have the similar problem with DIGEST-MD5 SASL auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants