create principals fails

Greg Hudson ghudson at MIT.EDU
Wed Nov 25 12:10:27 EST 2009


On Tue, 2009-11-24 at 05:20 -0500, "kai plückhahn" wrote:
> kadmin.local: Server error while initializing kadmin.local interface

Unfortunately, as noted in previous threads
(http://mailman.mit.edu/pipermail/kerberos/2009-August/015187.html) the
KDC LDAP code is generating a much more informative error message, but
it isn't printed due to a problem with contexts.  That problem is fixed
for 1.8, but that doesn't help you right now.

One workaround is to make a debugging build of the krb5 sources and step
through the process with a debugger.  This is painful and laborious,
though.  Another option is to run kadmin.local under a system call
tracing tool like strace (Linux) or truss (Solaris) to see what system
interactions kadmin.local made shortly before printing the error
message, but that doesn't always yield helpful information.

The most common problem I've seen with using the KDC LDAP back end is in
setting up the stash file containing the LDAP passwords for the DNs used
by the KDC and kadmind.  This filename is specified with the variable
ldap_service_password_file inside the database settings.  If you created
it correctly, it should look like:

cn=admin,dc=directorate,dc=org#{HEX}abcde12345

where the DNs on the left should match the DNs specified in the
ldap_kdc_dn and ldap_kadmind_dn variables.  You say that the file is
there with both passwords, but you might want to double check.

There is a different file which holds the KDB master password.  This
filename is specified with the variable key_stash_file inside the realm
settings, and should point to a different filename.  It should contain
binary data.  Make sure this is separate from your LDAP password stash.





More information about the Kerberos mailing list