Forgetting something? krb5kdc: No such file or directory - whileinitializing database for realm COMCAST.COM

Mathew Rowley mathew_rowley at cable.comcast.com
Wed Mar 11 14:39:14 EDT 2009 

My problem was actually a typo.  In my realm, I had:

  database_module = opeldap_ldapconf

Which did not match ŒopeNldap_ldapconf¹

MAT



On 3/11/09 9:15 AM, "Mathew Rowley" <mathew_rowley at cable.comcast.com> wrote:

> I am trying to start up a freshly installed/configured MIT kerberos
> (1.6.1-31) implementation, but I am obviously missing something.  I am using
> an LDAP backend, but the service will not start. Here is what I have done,
> can anyone see something I am missing? Or know of a way I can get more
> logging?  Thanks.
> 
> 1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm
> 
> 2. Modified /etc/krb5.conf to include ldap information:
> [dbdefaults]
>  ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
> [dbmodules]
>  openldap_ldapconf = {
>   db_library = kldap
>   ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
>   ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
>   # this object needs to have read rights on
>   # the realm container, principal container and realm sub-trees
>   ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
>   # this object needs to have read and write rights on
>   # the realm container, principal container and realm sub-trees
>   ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile
>   ldap_servers = ldap://kdc01.security.lab.comcast.net
>   ldap_conns_per_server = 5
>  }
> 
> 3. Created the ldap users (kadmin, kdc)
> 
> 4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util -H
> ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -subtrees
> 'dc=comcast,dc=com' -r COMCAST.NET ­s)
> 
> 5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/kdc5.keyfile
> using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f
> /var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com')
> 
> 6. Modified ldap ACL as according to
> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html but with
> my kadmin/kdc name and my dn
> (using ldap 2.4.15 ­ with new cn=config)
> olcAccess: to dn.base="" by * read
> olcAccess: to dn.base="cn=Subschema" by * read
> olcAccess: to attrs=userPassword,userPKCS12 by self write
>            by * read
> olcAccess: to dn.subtree="dc=comcast,dc=com" by
> dn.exact="cn=kdc,dc=comcast,dc=com" read
>            by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>            by * none
> olcAccess: to dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com"
> by dn.exact="cn=kdc,dc=comcast,dc=com" read
>            by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>            by * none
> olcAccess: to * by * read
> 
> 7. Confirmed I can ldapsearch with kadmin and kdc ldap users
> 
> 8. Tried to start krb5kdc - /etc/init.d/krb5kdc start:
> [root at kdc01 krb5kdc]# /etc/init.d/krb5kdc start
> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm COMCAST.COM - see
> log file for details
>                                                            [FAILED]
> [root at kdc01 krb5kdc]# cat /var/log/krb5kdc.log
> krb5kdc: No such file or directory - while initializing database for realm
> COMCAST.COM
> 
> Any ideas?  Thanks for any help.
> 
> --
> MAT
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
MAT

More information about the Kerberos mailing list