Setting up slave KDC when realm info is in LDAP (initially created with kdb5_ldap_util)
Holger Rauch
holger.rauch at empic.de
Sat Jun 5 13:43:52 EDT 2010
Hi,
I'm using Debian Lenny with the standard MIT Kerberos and OpenLDAP
packages. So far, I've managed to setup up OpenLDAP delta syncrepl (so
I shouldn't need the kpropd (slave KDC)/kprop (master KDC) combo).
I googled about KDC slave setups but unfortunately didn't come accross
any HOWTO for LDAP related setups, only BDB ones.
I've copied the /etc/krb5.conf file of the master server
(/etc/krb5kdc/kdc.conf is a symlink pointing to /etc/krb5.conf since
that file contains all relevant entries). Furthermore,
kdchost2.our.domain runs the slave slapd and kdchost1.our.domain runs
the master slapd server.
When I try to start the slave KDC on host kdchost2.our.domain, I see
this error message in /var/log/kerberos/krb5kdc.log, even though I
copied the service.keyfile from the master KDC:
krb5kdc: Cannot find/read stored master key - while fetching master
key K/M for realm OUR.DOMAIN
It's not obvious to me why I'm getting this error message.
My /etc/krb5.conf file on the KDC slave host (named kdc.host2 in the
config below) looks like this (Both master KDC and admin server are
running on host kdchost1.our.domain; for the reasons of simplicity I
used the LDAP admin account for both kdc and kadmind dn since it's not
a publicly accessible network):
===
[kdcdefaults]
kdc_ports = 750,88
[libdefaults]
default_realm = OUR.DOMAIN
# dns_lookup_realm = true
# dns_lookup_kdc = true
passwd_check_s_address = false
use_tcp_only = true
ccache_type = 3
forwardable = true
[appdefaults]
pam = {
debug = true
ticket_lifetime = 57600
renew_lifetime = 57600
forwardable = true
krb4_convert = false
}
kinit = {
ticket_lifetime = 57600
renew_lifetime = 57600
forwardable = true
}
pam-afs-session = {
aklog_homedir = true
minimum_uid = 10000
}
[realms]
OUR.DOMAIN = {
database_name = ldap:ou=krb5,ou=org1,dc=ourou,dc=ourcomp
kdc = kdchost1.our.domain
kdc = kdchost2.our.domain
admin_server = kdchost1.our.domain
acl_file = /etc/krb5kdc/kadm5.acl
database_module = openldap_ldapconf
default_domain = our.domain
max_life = 16h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
OUR.OTHER.DOMAIN = {
database_name = ldap:ou=krb5,ou=org1,dc=ourou,dc=ourcomp
kdc = kdchost1.our.other.domain
kdc = kdchost2.our.other.domain
admin_server = kdchost1.our.other.domain
acl_file = /etc/krb5kdc/kadm5.acl
database_module = openldap_ldapconf
default_domain = our.other.domain
max_life = 16h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
[domain_realm]
.our.domain = OUR.DOMAIN
our.domain = OUR.DOMAIN
.subdom.our.domain = OUR.DOMAIN
subdom.our.domain = OUR.DOMAIN
#.our.other.domain = OUR.OTHER.DOMAIN
#our.other.domain = OUR.OTHER.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
database = {
dbname = ldap:ou=krb5,ou=org1,dc=ourou,dc=ourcomp
}
[dbdefaults]
ldap_kerberos_container_dn = dc=ourou,dc=ourcomp
database_module = openldap_ldapconf
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = ou=krb5,ou=org1,dc=ourou,dc=ourcomp
ldap_kdc_dn = "cn=admin,dc=ourou,dc=ourcomp"
ldap_kadmind_dn = "cn=admin,dc=ourou,dc=ourcomp"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://kdchost2.our.domain
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
default = FILE:/var/log/kerberos/krb5lib.log
===
Any help will be greatly appreciated.
Thanks in advance & kind regards,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100605/8cc8d5e8/attachment.bin
More information about the Kerberos
mailing list