Kerberos with LDAP backend

Thomas Skora thomas at skora.net
Sat May 23 15:28:03 EDT 2009


Hello all,

I've set up MIT Kerberos with OpenLDAP from Debian lenny packages
according to the instructions in the documentation. From the functionality
everything looks fine. The realm subtrees were created in the directory,
the KDC is interacting with the LDAP server, but now I'm stuck at a (as it
seems for me) chicken-egg-problem: to add principals I need a principal
with appropriate permissions. I tried already to create such entries in
LDAP by hand but all tries to use it ended up with the following log
lines:

May 23 20:04:28 dc krb5kdc[3287](info): AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.3.1: NEEDED_PREAUTH: tskora/admin at SSOTEST.SECUNET.COM for
kadmin/changepw at SSOTEST.SECUNET.COM, Additional pre-authentication
required
May 23 20:04:34 dc krb5kdc[3287](info): preauth (timestamp) verify
failure: No matching key in entry
May 23 20:04:34 dc krb5kdc[3287](info): AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.3.1: PREAUTH_FAILED: tskora/admin at SSOTEST.SECUNET.COM for
kadmin/changepw at SSOTEST.SECUNET.COM, Preauthentication failed

Seems as if the needed data is hidden between those binary attributes
which are visible in the default principals, is this correct?

Now my question is if I have overseen something? Is there something from
where I can bootstrap a first principal with administrative rights? Is
somewhere a working tool available which could create them?

Thanks in advance,
Thomas




More information about the Kerberos mailing list