kinit failure with Kerberos and LDAP backend

Berthold Cogel cogel at uni-koeln.de
Fri Oct 19 10:05:44 EDT 2012


Hello!

I've configured kerberos with an LDAP backend and I'm now trying to fill
it with users.

System: RHEL5
Kerberos: 1.6.1-70.el5 (MIT)
LDAP: openldap-ltb-2.4.28-1.el5

Kerberos is talking to the local LDAP via LDAPI.

The setup is working for all principals in the kerberos container. I can
do a kinit an get a ticket...
I also did an
kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE  -subtrees
ou=people,dc=uni-koeln,dc=de

I did an ldapadd for some testusers followed by an addprinc for each
testuser. A listprincs shows the principals of these testusers.

But when I try to do a kinit I get this:

kinit a0537
kinit(v5): Client not found in Kerberos database while getting initial
credentials

This happens for each principal in the ou=People.

The ldapsearch with the first part of the krb5 request in the LDAP log
shows this:

ldapsearch -x -ZZ -H ldap://... -D cn=... -W
"(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
scope=2 deref=0
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter:
(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
# requesting: scope=2 deref=0
#

# a0537, People, uni-koeln.de
dn: uid=a0537,ou=People,dc=uni-koeln,dc=de

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


So the principal is in the tree. The complete krb5 request in the LDAP
log looks like this:


slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
(PATH=/var/run/ldapi)
slapd[9882]: conn=230710 op=0 BIND
dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
slapd[9882]: conn=230710 op=0 BIND
dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"

slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
krbExtraData krbObjectReferences
slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[9882]: conn=230710 op=2 SRCH
base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"

slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
krbExtraData krbObjectReferences


I don't understand what is happening. And I don't know, where to look.


Regards

Berthold Cogel


More information about the Kerberos mailing list