LDAP backend - help needed...

Tiago Elvas tiagoelvas at gmail.com
Mon May 7 12:03:15 EDT 2012 

For the kadmin.local to work I believe you have a misconfiguration.

You should create a kadmin keytab placed in /etc/kadm5.keytab including
principals:

kadmin/admin
> kadmin/changepw
> kadmin/<hostname>


then in kdc.conf

[realms]
>  EXAMPLE.UNI-KOELN.DE <http://example.uni-koeln.de/> = {
>    ...
>   admin_keytab = /etc/kadm5.keytab
>    ...
>  }


I have configured LDAP to be accessed excusively with kerberos ticket
successfuly, using openLDAP 2.2 and RHEL 5.7


Best regards

On Mon, May 7, 2012 at 5:38 PM, Berthold Cogel <cogel at uni-koeln.de> wrote:

> Hello!
>
> I'm trying to get kerberos running with an LDAP backend.
>
> System is RHEL 5.8 with krb5 1.6.1-70.el5 packages.
>
> I've set up the LDAP server with kerberos.schema, created an ou=Kerberos
> and organizational roles 'kcd' and 'kadmind' within the ou. ACLs are set
> so that these roles can authenticate and make changes to the ou=Kerberos
> and ou=People.
>
>
> [root at hydra krb5kdc]# KRB5_CONFIG=/var/kerberos/krb5kdc/kdc.conf
> [root at hydra krb5kdc]# export KRB5_CONFIG
> [root at hydra krb5kdc]# kdb5_ldap_util create -D
> cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de -r EXAMPLE.UNI-KOELN.DE -s -sscope
> sub
> Password for "cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de":
> Initializing database for realm 'EXAMPLE.UNI-KOELN.DE'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
>
>
> The realm container with all principals is created successfully.
>
> [root at hydra krb5kdc]# kdb5_ldap_util stashsrvpw -D
> cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de -f
> /var/kerberos/krb5kdc/service.keyfile cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de
> Password for "cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de":
> Password for "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de":
> Re-enter password for "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de":
> [root at hydra krb5kdc]# kdb5_ldap_util stashsrvpw -D
> cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de -f
> /var/kerberos/krb5kdc/service.keyfile
> cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de
> Password for "cn=ldapmgr,ou=DSA,dc=uni-koeln,dc=de":
> Password for "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de":
> Re-enter password for "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de":
>
>
> [root at hydra krb5kdc]# ls -al
> total 24
> drwxr-xr-x 2 root root 4096 May  7 16:09 .
> drwxr-xr-x 3 root root 4096 Dec 27 23:34 ..
> -rw------- 1 root root   30 May  7 15:23 .k5.EXAMPLE.UNI-KOELN.DE
> -rw-r--r-- 1 root root   32 May  7 15:20 kadm5.acl
> -rw-r--r-- 1 root root 1028 May  7 15:20 kdc.conf
> -rw------- 1 root root  128 May  7 16:09 service.keyfile
>
>
> But now:
>
> [root at hydra krb5kdc]# kadmin.local
> kadmin.local: unable to get default realm
>
> [root at hydra krb5kdc]# kadmin.local -r EXAMPLE.UNI-KOELN.DE
> Authenticating as principal root/admin at EXAMPLE.UNI-KOELN.DE with password.
> kadmin.local: Invalid argument while initializing kadmin.local interface
>
>
> In /etc/krb5.conf:
>
> [libdefaults]
>  default_realm = EXAMPLE.UNI-KOELN.DE
>  kdc_timesync = 0
>  allow_weak_crypto=true
>  dns_lookup_realm = false
>
> [realms]
>  EXAMPLE.UNI-KOELN.DE = {
>  kdc = hydra.rrz.uni-koeln.de:88
>  admin_server = hydra.rrz.uni-koeln.de:749
>  default_domain = rrz.uni-koeln.de
>  }
> [domain_realm]
>  .rrz.uni-koeln.de = EXAMPLE.UNI-KOELN.DE
> [logging]
>  kdc = SYSLOG:INFO:LOCAL0
>  admin_server = SYSLOG:INFO:LOCAL0
>  default = SYSLOG:INFO:LOCAL0
>
>
> /var/kerberos/krb5kdc/kdc.conf:
>
>
> [kdcdefaults]
>  kdc_ports = 750,88
>  kdc_tcp_ports = 88
>  v4_mode = nopreauth
> [realms]
>  EXAMPLE.UNI-KOELN.DE = {
>    acl_file = /var/kerberos/krb5kdc/kadm5.acl
>    dict_file = /usr/share/dict/words
>    key_stash_file = /var/kerberos/krb5kdc/.k5.EXAMPLE.UNI-KOELN.DE
>    supported_enctypes = aes256-cts-hmac-sha1-96:normal
> des-cbc-crc:normal des:afs3
>    default_principal_flags = +preauth
>    database_module = openldap_ldapconf
>  }
> [logging]
>  kdc = SYSLOG:INFO:LOCAL0
>  admin_server = SYSLOG:INFO:LOCAL0
>  default = SYSLOG:INFO:LOCAL0
> [dbdefaults]
>  ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
> [dbmodules]
>  openldap_ldapconf = {
>    db_library = kldap
>    ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
>    ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de"
>    ldap_kadmin_dn = "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de"
>    ldap_service_password_file = "/var/kerberos/krb5kdc/service.keyfile"
>    ldap_servers = "ldaps://hydra.rrz.uni-koeln.de"
>    ldap_cons_per_server = 5
>  }
>
>
> /var/kerberos/krb5kdc/kadm5.acl:
>
> */admin at EXAMPLE.UNI-KOELN.de    *
>
>
> Configuring kerberos and LDAP with 'ldapi://...' gives the same error
> messages. Setting up kerberos without openldap works. I do get this error.
>
> [root at hydra krb5kdc]# kadmin.local
> kadmin.local: unable to get default realm
>
> (strace shows that kadmin.local doesn't read /etc/krb5.conf... copying
> libdefaults section into kdc.conf fixes this one... hmmpf.... Don't know
> if this is a bug in the Red Hat version only...)
>
>
> But ..
>
> root at hydra krb5kdc]# kadmin.local -r EXAMPLE.UNI-KOELN.DE
> Authenticating as principal root/admin at EXAMPLE.UNI-KOELN.DE with password.
> kadmin.local:  listprincs
> K/M at EXAMPLE.UNI-KOELN.DE
> kadmin/admin at EXAMPLE.UNI-KOELN.DE
> kadmin/changepw at EXAMPLE.UNI-KOELN.DE
> kadmin/history at EXAMPLE.UNI-KOELN.DE
> kadmin/hydra.rrz.uni-koeln.de at EXAMPLE.UNI-KOELN.DE
> krbtgt/EXAMPLE.UNI-KOELN.DE at EXAMPLE.UNI-KOELN.DE
>
> For this one I've deleted the dbdefault and dbmodules sections and
> replaced the database_module entry with a database_name .
>
>
> Does anybody know if the LDAP backend works with this kerberos version
> and with RHEL? What did I miss?
>
>
> Regards
>
> Berthold Cogel
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list