MIT kerberos + OpenLDAP backend
Matej Zagiba
Matej.Zagiba at fmph.uniba.sk
Thu Jul 3 08:14:54 EDT 2008
Hello everybody,
I'm trying to set up MIT kerberos with OpenLDAP backend. I found description of this functionality in
kerberos admin guide, and I followed provided instructions. But it not usable, I cannot create working
principal, assign policy or do kinit. Default principals like K/M works as expected.
I will appreciate any help.
System information:
Debian Etch
MIT kerberos 1.6.3 (compiled from debian testing packages)
OpenLDAP 2.4.10 (compiled from OpenLDAP sources)
action transcription follows:
builder:/etc/krb5kdc# kdb5_ldap_util -D cn=adm-service,o=kerberos
-H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi create -subtrees o=kerberos
-r TEST -s -sf /etc/krb5kdc/stash
Password for "cn=adm-service,o=kerberos":
Initializing database for realm 'TEST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user1"
Authenticating as principal root/admin at TEST with password.
WARNING: no policy specified for user1 at TEST; defaulting to no policy
Principal "user1 at TEST" created.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/admin at TEST with password.
K/M at TEST
krbtgt/TEST at TEST
kadmin/admin at TEST
kadmin/changepw at TEST
kadmin/history at TEST
kadmin/builder at TEST
user1 at TEST
builder:/etc/krb5kdc# kadmin.local -q "getprinc user1"
Authenticating as principal root/admin at TEST with password.
Segmentation fault
builder:/etc/krb5kdc# kadmin.local -q "add_policy -maxlife 180day default"
Authenticating as principal root/admin at TEST with password.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/admin at TEST with password.
K/M at TEST
krbtgt/TEST at TEST
kadmin/admin at TEST
kadmin/changepw at TEST
kadmin/history at TEST
kadmin/builder at TEST
user1 at TEST
builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user2"
Authenticating as principal root/admin at TEST with password.
NOTICE: no policy specified for user2 at TEST; assigning "default"
Principal "user2 at TEST" created.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/admin at TEST with password.
get_principals: Invalid argument while retrieving list.
builder:/etc/krb5kdc# kadmin.local -q "getprinc user2"
Authenticating as principal root/admin at TEST with password.
get_principal: Invalid argument while retrieving "user2 at TEST".
builder:/etc/krb5kdc# kadmin.local -q "getprinc user1"
Authenticating as principal root/admin at TEST with password.
Segmentation fault
builder:/etc/krb5kdc# kadmin.local -q "getprinc K/M"
Authenticating as principal root/admin at TEST with password.
Principal: K/M at TEST
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 03 13:37:44 CEST 2008 (db_creation at TEST)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: DISALLOW_ALL_TIX REQUIRES_PRE_AUTH
Policy: [none]
builder:/etc/krb5kdc# /etc/init.d/krb5-kdc start
builder:/etc/krb5kdc# kinit user1
Password for user1 at TEST:
builder:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1 at TEST
Valid starting Expires Service principal
07/03/08 13:55:37 07/03/08 23:55:37 krbtgt/TEST at TEST
renew until 07/04/08 13:55:34
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
builder:/etc/krb5kdc# kdestroy
builder:/etc/krb5kdc# kinit user2
kinit(v5): Generic error (see e-text) while getting initial credentials
and here is log message:
Jul 03 13:55:58 builder krb5kdc[7486](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 158.195.31.111: LOOKING_UP_CLIENT: user2 at TEST for krbtgt/TEST at TEST, Invalid argument
--
Matej Zagiba
More information about the Kerberos
mailing list