Error configuring Kerberos and OpenDS

Tiago Elvas tiagoelvas at gmail.com
Mon Feb 20 13:34:57 EST 2012 

Hi there,

I am having trouble configuring a machine to work with Kerberos and OpenDS.
I will describe you the architecture, then post the configuration and then
the logs.


   - *Architecture*

I am running Kerberos and OpenDS on the same machine, RHEL 5.7, named
ldapserver


   - *Configuration*

*krb5.conf*
[libdefaults]
        default_realm = MYDOMAIN.COM <http://mydomain.com/>
[realms]
         MYDOMAIN.COM <http://mydomain.com/> = {
                kdc =  ldapserver.mydomain.com
                admin_server =  ldapserver.mydomain.com
        }
[domain_realm]
        .mydomain.com =  MYDOMAIN.COM <http://mydomain.com/>
[logging]
        kdc = FILE=/var/log/krb5kdc.log
        admin_server = FILE=/var/log/kadm5.log
*
*
*kdc.conf*
[kdcdefaults]
         kdc_ports = 88, 750
     [realms]
         MYDOMAIN.COM <http://mydomain.com/> = {
                profile = /etc/krb5.conf
                database_name = /usr/local/var/krb5kdc/principal
                admin_keytab = /usr/local/var/krb5kdc//kadm5.keytab
                acl_file =  /usr/local/var/krb5kdc/kadm5.acl
                kadmind_port = 749
                max_life = 8h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                default_principal_flags = +preauth
}
*kadmin.local:  getprincs*
K/M at MYDOMAIN.COM
host/ldapserver at MYDOMAIN .COM
kadmin/admin at MYDOMAIN.COM
kadmin/changepw at MYDOMAIN.COM
kadmin/ldapserver at MYDOMAIN.COM
kerberos-test at MYDOMAIN.COM
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
ldap/ldapserver at MYDOMAIN.COM
ldapserver.mydomain.com at MYDOMAIN.COM
root/admin at MYDOMAIN.COM

*# klist -k /usr/local/var/krb5kdc/kadm5.keytab *
Keytab name: FILE:/usr/local/var/krb5kdc/kadm5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   6 kadmin/admin at MYDOMAIN.COM
   6 kadmin/admin at MYDOMAIN.COM
   6 kadmin/admin at MYDOMAIN.COM
   6 kadmin/admin at MYDOMAIN.COM
   6 kadmin/changepw at MYDOMAIN.COM
   6 kadmin/changepw at MYDOMAIN.COM
   6 kadmin/changepw at MYDOMAIN.COM
   6 kadmin/changepw at MYDOMAIN.COM
   2 host/ldapserver at MYDOMAIN.COM
   2 host/ldapserver at MYDOMAIN.COM
   2 host/ldapserver at MYDOMAIN.COM
   2 host/ldapserver at MYDOMAIN.COM

*# klist -k /root/opends/config/opends.keytab*
Keytab name: FILE:/root/opends/config/opends.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 host/ldapserver at MYDOMAIN.COM
   3 host/ldapserver at MYDOMAIN.COM
   3 host/ldapserver at MYDOMAIN.COM
   3 host/ldapserver at MYDOMAIN.COM

========================================================================================================
Then, I run kinit kerberos-test:
*# kinit kerberos-test*
Password for kerberos-test at MYDOMAIN.COM:
[root at ldapserver etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kerberos-test at MYDOMAIN.COM

Valid starting     Expires            Service principal
02/20/12 19:23:29  02/21/12 03:23:29  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
        renew until 02/21/12 19:23:29
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

========================================================================================================
*# ldapsearch -h ldapserver.mydomain.com -p 389 -o mech=GSSAPI -o authid="
kerberos-test at MYDOMAIN.COM" -b "dc=example,dc=com" -s base "(objectClass=*)"
*
Password for user 'kerberos-test at MYDOMAIN.COM':
An error occurred while attempting to perform GSSAPI authentication to the
Directory Server: PrivilegedActionException(null:-2) Result Code:  82
(Local Error)

*And This is the log in /var/log/krb5kdc.log*
Feb 20 19:26:13 ldapserver krb5kdc[15295](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: ISSUE: authtime 1329762373, etypes {rep=23 tkt=18
ses=23}, kerberos-test at MYDOMAIN.COM for krbtgt/
MYDOMAIN.COM<http://mydomain.com/>
 @MYDOMAIN.COM <http://mydomain.com/>
Feb 20 19:26:13 ldapserver krb5kdc[15295](info): TGS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: UNKNOWN_SERVER: authtime 0,  kerberos-test@
MYDOMAIN.COM <http://mydomain.com/>  for ldap/
ldapserver.mydomain.com at MYDOMAIN.COM, Server not found in Kerberos database


What am I missing? I have the OpenDS configured to use the file
opends.keytab which contains info on the kdc server but it seems not to be
able to find it.
Can anyone help me solving this? I will be glad to provide any inputs on
this.

Note that the domain name mydomain.com and the REALM
MYDOMAIN.COM<http://mydomain.com/> are
ficticious but coherent to my configuration.

Many thanks in advance.

Best regards
Tiago Pires

More information about the Kerberos mailing list