kinit failure with Kerberos and LDAP backend
Mark Pröhl
mark at mproehl.net
Fri Oct 19 14:02:41 EDT 2012
Hi,
is there any difference in the output of the following two search requests?
root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
-b ou=People,dc=uni-koeln,dc=de \
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
-b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
Regards,
Mark
Am 19.10.2012 16:05, schrieb Berthold Cogel:
> Hello!
>
> I've configured kerberos with an LDAP backend and I'm now trying to fill
> it with users.
>
> System: RHEL5
> Kerberos: 1.6.1-70.el5 (MIT)
> LDAP: openldap-ltb-2.4.28-1.el5
>
> Kerberos is talking to the local LDAP via LDAPI.
>
> The setup is working for all principals in the kerberos container. I can
> do a kinit an get a ticket...
> I also did an
> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees
> ou=people,dc=uni-koeln,dc=de
>
> I did an ldapadd for some testusers followed by an addprinc for each
> testuser. A listprincs shows the principals of these testusers.
>
> But when I try to do a kinit I get this:
>
> kinit a0537
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> This happens for each principal in the ou=People.
>
> The ldapsearch with the first part of the krb5 request in the LDAP log
> shows this:
>
> ldapsearch -x -ZZ -H ldap://... -D cn=... -W
> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
> scope=2 deref=0
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter:
> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
> # requesting: scope=2 deref=0
> #
>
> # a0537, People, uni-koeln.de
> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> So the principal is in the tree. The complete krb5 request in the LDAP
> log looks like this:
>
>
> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
> (PATH=/var/run/ldapi)
> slapd[9882]: conn=230710 op=0 BIND
> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
> slapd[9882]: conn=230710 op=0 BIND
> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
> scope=2 deref=0
> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>
> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
> krbExtraData krbObjectReferences
> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[9882]: conn=230710 op=2 SRCH
> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
> deref=0
> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>
> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
> krbExtraData krbObjectReferences
>
>
> I don't understand what is happening. And I don't know, where to look.
>
>
> Regards
>
> Berthold Cogel
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de
More information about the Kerberos
mailing list