FCSvr and external LDAP - always attempts CRAM-MD5 auth?
Having some real trouble with FCSvr authentication and and external OpenLDAP server.
Appears that when FCSvr (fcsvr_stored) negotiates with DirectoryService it always ends up deciding that it should send a CRAM-MD5 hash for authentication.
See below for an example from /Library/Logs/DirectoryService/DirectoryService.debug.log after turning on debugging with killall -USR1 DirectoryService (ldap hostname and usernames replaced with dummy placeholder values):
2011-02-08 13:47:01 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 12412, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16800117 : Node Name = /LDAPv3/ldaphostname)
2011-02-08 13:47:01 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 12412, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16800117 : Node Ref = 16800122 : Result code = 0
2011-02-08 13:47:01 EST - T[0xB0207000] - Client: fcsvr_stored, PID: 12412, API: dsDoDirNodeAuth(), LDAPv3 Used : DAC : Node Ref = 16800122 : User Name = ldapusername) : Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5 : Auth Only Flag = 1 : Continue Data = 0
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: DoAuthenticationOnRecordType - Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: LookupAttribute error -14131
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: DoBasicAuth::
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: DoBasicAuth - Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 13:47:01 EST - T[0xB0207000] - Client: fcsvr_stored, PID: 12412, API: dsDoDirNodeAuth(), LDAPv3 Used : DAR : Node Ref = 16800122 : Result code = -14091
2011-02-08 13:47:01 EST - T[0xB0207000] - Plug-in call "dsDoDirNodeAuth()" failed with error = -14091.
2011-02-08 13:47:01 EST - T[0xB0207000] - Port: 0 Call: dsDoDirNodeAuth() == -14091
For security reasons our OpenLDAP server does not support MD5 hashes so it fails every time with a -14131 (eDSInvalidAttributeType - see DS manpage here: http://www.manpagez.com/man/8/DirectoryService/) and then a -14091 (eDSAuthMethodNotSupported), which is what shows up /var/log/system.log and in /Library/Logs/Final Cut Server/fcsvr storedxxxxx.log
You can test and break FCSvr auth for local accounts by simply disabling CRAM-MD5 in Workgroup Manager on a local account (select the local account, Advanced Tab -> Security -> uncheck CRAM-MD5, Save). Any attempt to log in to FCSvr as a local user will then fail, even though there are still other hash methods available for shadow password auth (e.g. NTLMv1 and 2). This is because FCSvr is still wanting to user CRAM-MD5 for authentication
2011-02-08 17:41:35 EST - T[0xB0218000] - Client: fcsvr_stored, PID: 21733, API: dsOpenDirNode(), Local Used : DAC : Dir Ref = 16777551 : Node Name = /Local/Default
2011-02-08 17:41:35 EST - T[0xB0218000] - Client: fcsvr_stored, PID: 21733, API: dsOpenDirNode(), Local Used : DAR : Dir Ref = 16777551 : Node Ref = 16777556 : Result code = 0
2011-02-08 17:41:35 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 21733, API: dsDoDirNodeAuth(), Local Used : DAC : Node Ref = 16777556 : User Name = localusername : Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5 : Auth Only Flag = 1 : Continue Data = 0
2011-02-08 17:41:35 EST - T[0xB0103000] - CDSLocalPlugin::ReadHashConfig(): got error -14136
2011-02-08 17:41:35 EST - T[0xB0103000] - CDSLocalPluginNode::GetFileAccessIndex - found match in index - type <users> file <localusername.plist>
2011-02-08 17:41:35 EST - T[0xB0103000] - CDSLocalAuthHelper::DoShadowHashAuth(): Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 17:41:35 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 21733, API: dsDoDirNodeAuth(), Local Used : DAR : Node Ref = 16777556 : Result code = -14090
2011-02-08 17:41:35 EST - T[0xB0103000] - Plug-in call "dsDoDirNodeAuth()" failed with error = -14090.
2011-02-08 17:41:35 EST - T[0xB0103000] - Port: 0 Call: dsDoDirNodeAuth() == -14090
even though this hash mechanism should not even be available. You can switch User Password Type to "Open Directory" in WGM for this user and it still won't be able to authenticate, as FCSvr will keep wanting to send CRAM-MD5 hashes and as this no longer exists in the Local database it will fail. You have to re-enable CRAM-MD5 hashes in WGM and reset the password to re-generate the MD5 hash for FCSvr auth to work again for this user.
If this is the issue, then I don't have any sensible workarounds, it looks like Apple may have to modify the code for fcsvr_stored and release a patch? Does anyone have any ideas?
Appears that when FCSvr (fcsvr_stored) negotiates with DirectoryService it always ends up deciding that it should send a CRAM-MD5 hash for authentication.
See below for an example from /Library/Logs/DirectoryService/DirectoryService.debug.log after turning on debugging with killall -USR1 DirectoryService (ldap hostname and usernames replaced with dummy placeholder values):
2011-02-08 13:47:01 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 12412, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16800117 : Node Name = /LDAPv3/ldaphostname)
2011-02-08 13:47:01 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 12412, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16800117 : Node Ref = 16800122 : Result code = 0
2011-02-08 13:47:01 EST - T[0xB0207000] - Client: fcsvr_stored, PID: 12412, API: dsDoDirNodeAuth(), LDAPv3 Used : DAC : Node Ref = 16800122 : User Name = ldapusername) : Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5 : Auth Only Flag = 1 : Continue Data = 0
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: DoAuthenticationOnRecordType - Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: LookupAttribute error -14131
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: DoBasicAuth::
2011-02-08 13:47:01 EST - T[0xB0207000] - CLDAPv3Plugin: DoBasicAuth - Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 13:47:01 EST - T[0xB0207000] - Client: fcsvr_stored, PID: 12412, API: dsDoDirNodeAuth(), LDAPv3 Used : DAR : Node Ref = 16800122 : Result code = -14091
2011-02-08 13:47:01 EST - T[0xB0207000] - Plug-in call "dsDoDirNodeAuth()" failed with error = -14091.
2011-02-08 13:47:01 EST - T[0xB0207000] - Port: 0 Call: dsDoDirNodeAuth() == -14091
For security reasons our OpenLDAP server does not support MD5 hashes so it fails every time with a -14131 (eDSInvalidAttributeType - see DS manpage here: http://www.manpagez.com/man/8/DirectoryService/) and then a -14091 (eDSAuthMethodNotSupported), which is what shows up /var/log/system.log and in /Library/Logs/Final Cut Server/fcsvr storedxxxxx.log
You can test and break FCSvr auth for local accounts by simply disabling CRAM-MD5 in Workgroup Manager on a local account (select the local account, Advanced Tab -> Security -> uncheck CRAM-MD5, Save). Any attempt to log in to FCSvr as a local user will then fail, even though there are still other hash methods available for shadow password auth (e.g. NTLMv1 and 2). This is because FCSvr is still wanting to user CRAM-MD5 for authentication
2011-02-08 17:41:35 EST - T[0xB0218000] - Client: fcsvr_stored, PID: 21733, API: dsOpenDirNode(), Local Used : DAC : Dir Ref = 16777551 : Node Name = /Local/Default
2011-02-08 17:41:35 EST - T[0xB0218000] - Client: fcsvr_stored, PID: 21733, API: dsOpenDirNode(), Local Used : DAR : Dir Ref = 16777551 : Node Ref = 16777556 : Result code = 0
2011-02-08 17:41:35 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 21733, API: dsDoDirNodeAuth(), Local Used : DAC : Node Ref = 16777556 : User Name = localusername : Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5 : Auth Only Flag = 1 : Continue Data = 0
2011-02-08 17:41:35 EST - T[0xB0103000] - CDSLocalPlugin::ReadHashConfig(): got error -14136
2011-02-08 17:41:35 EST - T[0xB0103000] - CDSLocalPluginNode::GetFileAccessIndex - found match in index - type <users> file <localusername.plist>
2011-02-08 17:41:35 EST - T[0xB0103000] - CDSLocalAuthHelper::DoShadowHashAuth(): Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 17:41:35 EST - T[0xB0103000] - Client: fcsvr_stored, PID: 21733, API: dsDoDirNodeAuth(), Local Used : DAR : Node Ref = 16777556 : Result code = -14090
2011-02-08 17:41:35 EST - T[0xB0103000] - Plug-in call "dsDoDirNodeAuth()" failed with error = -14090.
2011-02-08 17:41:35 EST - T[0xB0103000] - Port: 0 Call: dsDoDirNodeAuth() == -14090
even though this hash mechanism should not even be available. You can switch User Password Type to "Open Directory" in WGM for this user and it still won't be able to authenticate, as FCSvr will keep wanting to send CRAM-MD5 hashes and as this no longer exists in the Local database it will fail. You have to re-enable CRAM-MD5 hashes in WGM and reset the password to re-generate the MD5 hash for FCSvr auth to work again for this user.
If this is the issue, then I don't have any sensible workarounds, it looks like Apple may have to modify the code for fcsvr_stored and release a patch? Does anyone have any ideas?
xserve (Intel), Mac OS X (10.5.8), OS X Server (10.5.8)
