kinit failure with Kerberos and LDAP backend
Berthold Cogel
cogel at uni-koeln.de
Sat Oct 20 18:26:44 EDT 2012
Am 19.10.2012 20:59, schrieb Bob Liu:
> It depends on how you have your "krb5.conf" configured... you might want
> to try the following kinit instead and see...
>
> kinit a0537 at RRZ.UNI-KOELN.DE
>
>
>
>> Date: Fri, 19 Oct 2012 20:02:41 +0200
>> From: mark at mproehl.net
>> To: kerberos at mit.edu; cogel at uni-koeln.de
>> Subject: Re: kinit failure with Kerberos and LDAP backend
>>
>> Hi,
>>
>> is there any difference in the output of the following two search
> requests?
>>
>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>> -b ou=People,dc=uni-koeln,dc=de \
>>
>>
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>
>>
>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>> -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
>>
>>
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>
>> Regards,
>>
>> Mark
>>
>>
>> Am 19.10.2012 16:05, schrieb Berthold Cogel:
>> > Hello!
>> >
>> > I've configured kerberos with an LDAP backend and I'm now trying to fill
>> > it with users.
>> >
>> > System: RHEL5
>> > Kerberos: 1.6.1-70.el5 (MIT)
>> > LDAP: openldap-ltb-2.4.28-1.el5
>> >
>> > Kerberos is talking to the local LDAP via LDAPI.
>> >
>> > The setup is working for all principals in the kerberos container. I can
>> > do a kinit an get a ticket...
>> > I also did an
>> > kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees
>> > ou=people,dc=uni-koeln,dc=de
>> >
>> > I did an ldapadd for some testusers followed by an addprinc for each
>> > testuser. A listprincs shows the principals of these testusers.
>> >
>> > But when I try to do a kinit I get this:
>> >
>> > kinit a0537
>> > kinit(v5): Client not found in Kerberos database while getting initial
>> > credentials
>> >
>> > This happens for each principal in the ou=People.
>> >
>> > The ldapsearch with the first part of the krb5 request in the LDAP log
>> > shows this:
>> >
>> > ldapsearch -x -ZZ -H ldap://... -D cn=... -W
>> >
> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>> > scope=2 deref=0
>> > Enter LDAP Password:
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base <> with scope subtree
>> > # filter:
>> >
> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
>> > # requesting: scope=2 deref=0
>> > #
>> >
>> > # a0537, People, uni-koeln.de
>> > dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
>> >
>> > # search result
>> > search: 3
>> > result: 0 Success
>> >
>> > # numResponses: 2
>> > # numEntries: 1
>> >
>> >
>> > So the principal is in the tree. The complete krb5 request in the LDAP
>> > log looks like this:
>> >
>> >
>> > slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
>> > (PATH=/var/run/ldapi)
>> > slapd[9882]: conn=230710 op=0 BIND
>> > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
>> > slapd[9882]: conn=230710 op=0 BIND
>> > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
>> > slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
>> > slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
>> > scope=2 deref=0
>> >
> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>> >
>> > slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
>> > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>> > krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>> > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>> > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>> > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>> > krbExtraData krbObjectReferences
>> > slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0
> text=
>> > slapd[9882]: conn=230710 op=2 SRCH
>> > base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
>> > deref=0
>> >
> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>> >
>> > slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
>> > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>> > krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>> > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>> > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>> > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>> > krbExtraData krbObjectReferences
>> >
>> >
>> > I don't understand what is happening. And I don't know, where to look.
>> >
>> >
>> > Regards
>> >
>> > Berthold Cogel
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>>
>> --
>> Mark Pröhl
>> mark at mproehl.net
>> www.kerberos-buch.de
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
I'm getting the same response:
kinit a0537
kinit(v5): Client not found in Kerberos database while getting initial
credentials
kinit a0537 at RRZ.UNI-KOELN.DE
kinit(v5): Client not found in Kerberos database while getting initial
credentials
Regards
Berthold
More information about the Kerberos
mailing list