Xsanity Sanity for Apple's Xsan and Final Cut Server.
  
Home  .   Advanced Search  .   Contribute
Friday, May 24 2013 @ 11:41 PM EDT
Topics
Home
Final Cut Server (42)
Storage (39)
People (1)
Xsan (103)
How To (26)
Tips & Tricks (33)
Site Info (39)
Forum
Xsanity Forum
Forum Search
Forum Help
Log in to check messages
Features
Setup Library
Xsan Porn
Links
RSS
RSS Xsanity Articles
RSS Xsanity Forum
User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User
Who's Online
Guest Users: 9
Sponsorship

Xsanity is proudly sponsored by:

Tekserve
The Old Reliable Mac Shop
FCSvr and external LDAP - always attempts CRAM-MD5 auth?

 
Post new topic   Reply to topic    Xsanity Forums Forum Index -> FCS Setup Issues
View previous topic :: View next topic  
Author Message
KernelMustard
JBOD
JBOD


Joined: 08 Feb 2011
Posts: 3
PostPosted: Tue Feb 08, 2011 7:27 pm    Post subject: FCSvr and external LDAP - always attempts CRAM-MD5 auth? Reply with quote
Having some real trouble with FCSvr authentication and and external OpenLDAP server.
Appears that when FCSvr (fcsvr_stored) negotiates with DirectoryService it always ends up deciding that it should send a CRAM-MD5 hash for authentication.
See below for an example from /Library/Logs/DirectoryService/DirectoryService.debug.log after turning on debugging with killall -USR1 DirectoryService (ldap hostname and usernames replaced with dummy placeholder values):

Code:
2011-02-08 13:47:01 EST - T0xB0103000 - Client: fcsvr_stored, PID: 12412, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16800117 : Node Name = /LDAPv3/ldaphostname)
2011-02-08 13:47:01 EST - T0xB0103000 - Client: fcsvr_stored, PID: 12412, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16800117 : Node Ref = 16800122 : Result code = 0
2011-02-08 13:47:01 EST - T0xB0207000 - Client: fcsvr_stored, PID: 12412, API: dsDoDirNodeAuth(), LDAPv3 Used : DAC : Node Ref = 16800122 : User Name = ldapusername) : Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5 : Auth Only Flag = 1 : Continue Data = 0
2011-02-08 13:47:01 EST - T0xB0207000 - CLDAPv3Plugin: DoAuthenticationOnRecordType - Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 13:47:01 EST - T0xB0207000 - CLDAPv3Plugin: LookupAttribute error -14131
2011-02-08 13:47:01 EST - T0xB0207000 - CLDAPv3Plugin: DoBasicAuth::
2011-02-08 13:47:01 EST - T0xB0207000 - CLDAPv3Plugin: DoBasicAuth - Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 13:47:01 EST - T0xB0207000 - Client: fcsvr_stored, PID: 12412, API: dsDoDirNodeAuth(), LDAPv3 Used : DAR : Node Ref = 16800122 : Result code = -14091
2011-02-08 13:47:01 EST - T0xB0207000 - Plug-in call "dsDoDirNodeAuth()" failed with error = -14091.
2011-02-08 13:47:01 EST - T0xB0207000 - Port: 0 Call: dsDoDirNodeAuth() == -14091


For security reasons our OpenLDAP server does not support MD5 hashes so it fails every time with a -14131 (eDSInvalidAttributeType - see DS manpage here: http://www.manpagez.com/man/8/DirectoryService/) and then a -14091 (eDSAuthMethodNotSupported), which is what shows up /var/log/system.log and in /Library/Logs/Final Cut Server/fcsvr_stored_xxxxx.log

You can test and break FCSvr auth for local accounts by simply disabling CRAM-MD5 in Workgroup Manager on a local account (select the local account, Advanced Tab -> Security -> uncheck CRAM-MD5, Save). Any attempt to log in to FCSvr as a local user will then fail, even though there are still other hash methods available for shadow password auth (e.g. NTLMv1 and 2). This is because FCSvr is still wanting to user CRAM-MD5 for authentication

Code:
2011-02-08 17:41:35 EST - T0xB0218000 - Client: fcsvr_stored, PID: 21733, API: dsOpenDirNode(), Local Used : DAC : Dir Ref = 16777551 : Node Name = /Local/Default
2011-02-08 17:41:35 EST - T0xB0218000 - Client: fcsvr_stored, PID: 21733, API: dsOpenDirNode(), Local Used : DAR : Dir Ref = 16777551 : Node Ref = 16777556 : Result code = 0
2011-02-08 17:41:35 EST - T0xB0103000 - Client: fcsvr_stored, PID: 21733, API: dsDoDirNodeAuth(), Local Used : DAC : Node Ref = 16777556 : User Name = localusername : Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5 : Auth Only Flag = 1 : Continue Data = 0
2011-02-08 17:41:35 EST - T0xB0103000 - CDSLocalPlugin::ReadHashConfig(): got error -14136
2011-02-08 17:41:35 EST - T0xB0103000 - CDSLocalPluginNode::GetFileAccessIndex - found match in index - type <users> file <localusername.plist>
2011-02-08 17:41:35 EST - T0xB0103000 - CDSLocalAuthHelper::DoShadowHashAuth(): Attempting use of authentication method dsAuthMethodStandard:dsAuthNodeCRAM-MD5
2011-02-08 17:41:35 EST - T0xB0103000 - Client: fcsvr_stored, PID: 21733, API: dsDoDirNodeAuth(), Local Used : DAR : Node Ref = 16777556 : Result code = -14090
2011-02-08 17:41:35 EST - T0xB0103000 - Plug-in call "dsDoDirNodeAuth()" failed with error = -14090.
2011-02-08 17:41:35 EST - T0xB0103000 - Port: 0 Call: dsDoDirNodeAuth() == -14090


even though this hash mechanism should not even be available. You can switch User Password Type to "Open Directory" in WGM for this user and it still won't be able to authenticate, as FCSvr will keep wanting to send CRAM-MD5 hashes and as this no longer exists in the Local database it will fail. You have to re-enable CRAM-MD5 hashes in WGM and reset the password to re-generate the MD5 hash for FCSvr auth to work again for this user.

If this is the issue, then I don't have any sensible workarounds, it looks like Apple may have to modify the code for fcsvr_stored and release a patch? Does anyone have any ideas?

xserve (Intel) Mac OS X (10.5.8) OS X Server (10.5.8)
Back to top
View user's profile Send private message
KernelMustard
JBOD
JBOD


Joined: 08 Feb 2011
Posts: 3
PostPosted: Wed Feb 09, 2011 10:19 pm    Post subject: UPDATE Reply with quote
UPDATE.

You can confirm this behavior by turning on debug in fcsvr itself.

cd to /Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/sbin/fcsvr_debug and run:
./fcsvr_ctl.sh debug
then restart fcsvr (either through sysprefs or via ./fcsvr_ctl.sh stop; ./fcsvr_ctl.sh start

The authentication process then shows (for both successful and failing external ldap attempts):
Code:
10:21:58.984492 0xb0114000 DEBUG2 doCRAMMD5AuthStep auth.C:342 DS using response:21ef4cdd1cd48cc3bee59f0a57cfed6c8

From ealier lines in the log there's no evidence that any auth methods other than cram-md5 are attempted.

For more info on fcsvr command line tools see: http://krypted.com/final-cut-server/the-final-cut-server-command-line/
Back to top
View user's profile Send private message
mw10dot1
Xsan Master
Xsan Master


Joined: 06 Dec 2006
Posts: 106
PostPosted: Thu Feb 10, 2011 8:30 am    Post subject: Fcsvr Authentication Reply with quote
Hi

I have not had to get fcsvr to work with anything other then AD and OD but you might want to try looking at the settings file

/Library/Preferences/com.apple.FinalCutServer.settings

As when you switch to AD you change the AUTH_TYPE from 3 to 1

http://support.apple.com/kb/HT3818

I would be interested to hear what 2 is?

Let us know how you get on.

Michael
Back to top
View user's profile Send private message Visit poster's website
KernelMustard
JBOD
JBOD


Joined: 08 Feb 2011
Posts: 3
PostPosted: Sun Feb 13, 2011 10:15 pm    Post subject: Auth_types Reply with quote
Hi Michael,

Unfortunately the AUTH_TYPE settings aren't very well documented, apart from a single reference in the setup guide (re AD auth) and the Apple KB article you've referred to.

We've done a bit of testing and it looks like the AUTH_TYPE attribute functions a bit like this:

0 = DirectoryService search policy. in our case /Local/Default, then /BSD/Local, then /LDAPv3/ldaphostname. Auth Method = dsAuthMethodStandard:dsAuthNodePPS
1 = AD only?
2 = DirectoryService search policy. in our case /Local/Default, then /BSD/Local, then /LDAPv3/ldaphostname. Auth Method = dsAuthMethodStandard:dsAuthNodeCRAM-MD5
3 = DirectoryService search policy. in our case /Local/Default, then /BSD/Local, then /LDAPv3/ldaphostname. Auth Method = dsAuthMethodStandard:dsAuthNodePPS
4 = DirectoryService search policy. in our case /Local/Default, then /BSD/Local, then /LDAPv3/ldaphostname. Auth Method = dsAuthMethodStandard:dsAuthNodePPS

Default appears to be 0, or possibly 3 (basing this guess on the Apple KB article). Looks like auth modes 4 and above probably just default to 3 (or 0).

So it looks like FCSvr does attempt other auth methods - however not sure exactly what dsAuthNodePPS method is - if anyone can point us in the right direction for documentation/more info on it, it would be much appreciated.
Back to top
View user's profile Send private message
pospocei
JBOD
JBOD


Joined: 15 Feb 2011
Posts: 1
PostPosted: Tue Feb 15, 2011 7:41 am    Post subject: Reply with quote
Hi, Sorry for my bad English,

we are trying the same and we are stopped because there aren't possible to connect whithout to have a Sever Password.

We also tried the option AUTH_TYPE = 2, but it didn't work.

Finally, we talked with Apple and they confirmed to us that it was only possible with an OD or AD.

Pospocei

Televisió de Catalunya, TV3
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Xsanity Forums Forum Index -> FCS Setup Issues All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Best Viewed on a Mac | Suggested Browser: Whatever floats yer boat.
Creative Commons: Some Rights Reserved
Powered By: GeekLog 		 Copyright © 2013 Xsanity
 All trademarks and copyrights on this page are owned by their respective owners.
Created this page in 0.15 seconds