LDAP backend - help needed...

Berthold Cogel cogel at uni-koeln.de
Mon May 7 11:38:10 EDT 2012 

Hello!

I'm trying to get kerberos running with an LDAP backend.

System is RHEL 5.8 with krb5 1.6.1-70.el5 packages.

I've set up the LDAP server with kerberos.schema, created an ou=Kerberos
and organizational roles 'kcd' and 'kadmind' within the ou. ACLs are set
so that these roles can authenticate and make changes to the ou=Kerberos
and ou=People.


[root at hydra krb5kdc]# KRB5_CONFIG=/var/kerberos/krb5kdc/kdc.conf
[root at hydra krb5kdc]# export KRB5_CONFIG
[root at hydra krb5kdc]# kdb5_ldap_util create -D
cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de -r EXAMPLE.UNI-KOELN.DE -s -sscope sub
Password for "cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de":
Initializing database for realm 'EXAMPLE.UNI-KOELN.DE'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:


The realm container with all principals is created successfully.

[root at hydra krb5kdc]# kdb5_ldap_util stashsrvpw -D
cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de -f
/var/kerberos/krb5kdc/service.keyfile cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de
Password for "cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de":
Password for "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de":
Re-enter password for "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de":
[root at hydra krb5kdc]# kdb5_ldap_util stashsrvpw -D
cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de -f
/var/kerberos/krb5kdc/service.keyfile
cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de
Password for "cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de":
Password for "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de":
Re-enter password for "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de":


[root at hydra krb5kdc]# ls -al
total 24
drwxr-xr-x 2 root root 4096 May  7 16:09 .
drwxr-xr-x 3 root root 4096 Dec 27 23:34 ..
-rw------- 1 root root   30 May  7 15:23 .k5.EXAMPLE.UNI-KOELN.DE
-rw-r--r-- 1 root root   32 May  7 15:20 kadm5.acl
-rw-r--r-- 1 root root 1028 May  7 15:20 kdc.conf
-rw------- 1 root root  128 May  7 16:09 service.keyfile


But now:

[root at hydra krb5kdc]# kadmin.local
kadmin.local: unable to get default realm

[root at hydra krb5kdc]# kadmin.local -r EXAMPLE.UNI-KOELN.DE
Authenticating as principal root/admin at EXAMPLE.UNI-KOELN.DE with password.
kadmin.local: Invalid argument while initializing kadmin.local interface


In /etc/krb5.conf:

[libdefaults]
  default_realm = EXAMPLE.UNI-KOELN.DE
  kdc_timesync = 0
  allow_weak_crypto=true
  dns_lookup_realm = false

[realms]
 EXAMPLE.UNI-KOELN.DE = {
  kdc = hydra.rrz.uni-koeln.de:88
  admin_server = hydra.rrz.uni-koeln.de:749
  default_domain = rrz.uni-koeln.de
  }
[domain_realm]
  .rrz.uni-koeln.de = EXAMPLE.UNI-KOELN.DE
[logging]
  kdc = SYSLOG:INFO:LOCAL0
  admin_server = SYSLOG:INFO:LOCAL0
  default = SYSLOG:INFO:LOCAL0


/var/kerberos/krb5kdc/kdc.conf:


[kdcdefaults]
  kdc_ports = 750,88
  kdc_tcp_ports = 88
  v4_mode = nopreauth
[realms]
  EXAMPLE.UNI-KOELN.DE = {
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    key_stash_file = /var/kerberos/krb5kdc/.k5.EXAMPLE.UNI-KOELN.DE
    supported_enctypes = aes256-cts-hmac-sha1-96:normal
des-cbc-crc:normal des:afs3
    default_principal_flags = +preauth
    database_module = openldap_ldapconf
  }
[logging]
  kdc = SYSLOG:INFO:LOCAL0
  admin_server = SYSLOG:INFO:LOCAL0
  default = SYSLOG:INFO:LOCAL0
[dbdefaults]
  ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
[dbmodules]
  openldap_ldapconf = {
    db_library = kldap
    ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
    ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de"
    ldap_kadmin_dn = "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de"
    ldap_service_password_file = "/var/kerberos/krb5kdc/service.keyfile"
    ldap_servers = "ldaps://hydra.rrz.uni-koeln.de"
    ldap_cons_per_server = 5
  }


/var/kerberos/krb5kdc/kadm5.acl:

*/admin at EXAMPLE.UNI-KOELN.de	*


Configuring kerberos and LDAP with 'ldapi://...' gives the same error
messages. Setting up kerberos without openldap works. I do get this error.

[root at hydra krb5kdc]# kadmin.local
kadmin.local: unable to get default realm

(strace shows that kadmin.local doesn't read /etc/krb5.conf... copying
libdefaults section into kdc.conf fixes this one... hmmpf.... Don't know
if this is a bug in the Red Hat version only...)


But ..

root at hydra krb5kdc]# kadmin.local -r EXAMPLE.UNI-KOELN.DE
Authenticating as principal root/admin at EXAMPLE.UNI-KOELN.DE with password.
kadmin.local:  listprincs
K/M at EXAMPLE.UNI-KOELN.DE
kadmin/admin at EXAMPLE.UNI-KOELN.DE
kadmin/changepw at EXAMPLE.UNI-KOELN.DE
kadmin/history at EXAMPLE.UNI-KOELN.DE
kadmin/hydra.rrz.uni-koeln.de at EXAMPLE.UNI-KOELN.DE
krbtgt/EXAMPLE.UNI-KOELN.DE at EXAMPLE.UNI-KOELN.DE

For this one I've deleted the dbdefault and dbmodules sections and
replaced the database_module entry with a database_name .


Does anybody know if the LDAP backend works with this kerberos version
and with RHEL? What did I miss?


Regards

Berthold Cogel

More information about the Kerberos mailing list