kinit failure with Kerberos and LDAP backend

Bob Liu hme0 at hotmail.com
Fri Oct 19 14:59:09 EDT 2012 

It depends on how you have your "krb5.conf" configured... you might want to try the following kinit instead and see...

kinit a0537 at RRZ.UNI-KOELN.DE 

> Date: Fri, 19 Oct 2012 20:02:41 +0200
> From: mark at mproehl.net
> To: kerberos at mit.edu; cogel at uni-koeln.de
> Subject: Re: kinit failure with Kerberos and LDAP backend
> 
> Hi,
> 
> is there any difference in the output of the following two search requests?
> 
> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>    -b ou=People,dc=uni-koeln,dc=de  \
>  
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
> 
> 
> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>    -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
>  
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
> 
> Regards,
> 
> Mark
> 
> 
> Am 19.10.2012 16:05, schrieb Berthold Cogel:
> > Hello!
> >
> > I've configured kerberos with an LDAP backend and I'm now trying to fill
> > it with users.
> >
> > System: RHEL5
> > Kerberos: 1.6.1-70.el5 (MIT)
> > LDAP: openldap-ltb-2.4.28-1.el5
> >
> > Kerberos is talking to the local LDAP via LDAPI.
> >
> > The setup is working for all principals in the kerberos container. I can
> > do a kinit an get a ticket...
> > I also did an
> > kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE  -subtrees
> > ou=people,dc=uni-koeln,dc=de
> >
> > I did an ldapadd for some testusers followed by an addprinc for each
> > testuser. A listprincs shows the principals of these testusers.
> >
> > But when I try to do a kinit I get this:
> >
> > kinit a0537
> > kinit(v5): Client not found in Kerberos database while getting initial
> > credentials
> >
> > This happens for each principal in the ou=People.
> >
> > The ldapsearch with the first part of the krb5 request in the LDAP log
> > shows this:
> >
> > ldapsearch -x -ZZ -H ldap://... -D cn=... -W
> > "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
> > scope=2 deref=0
> > Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <> with scope subtree
> > # filter:
> > (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
> > # requesting: scope=2 deref=0
> > #
> >
> > # a0537, People, uni-koeln.de
> > dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
> >
> > # search result
> > search: 3
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> >
> > So the principal is in the tree. The complete krb5 request in the LDAP
> > log looks like this:
> >
> >
> > slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
> > (PATH=/var/run/ldapi)
> > slapd[9882]: conn=230710 op=0 BIND
> > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
> > slapd[9882]: conn=230710 op=0 BIND
> > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
> > slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
> > slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
> > scope=2 deref=0
> > filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
> >
> > slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
> > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
> > krbprincipalexpiration krbticketpolicyreference krbUpEnabled
> > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
> > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
> > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
> > krbExtraData krbObjectReferences
> > slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
> > slapd[9882]: conn=230710 op=2 SRCH
> > base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
> > deref=0
> > filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
> >
> > slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
> > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
> > krbprincipalexpiration krbticketpolicyreference krbUpEnabled
> > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
> > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
> > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
> > krbExtraData krbObjectReferences
> >
> >
> > I don't understand what is happening. And I don't know, where to look.
> >
> >
> > Regards
> >
> > Berthold Cogel
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> 
> 
> -- 
> Mark Pröhl
> mark at mproehl.net
> www.kerberos-buch.de
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list