kinit failure with Kerberos and LDAP backend

Mark Pröhl mark at mproehl.net
Sun Oct 21 02:39:44 EDT 2012 

Am 21.10.2012 00:21, schrieb Berthold Cogel:
> Am 19.10.2012 20:02, schrieb Mark Pröhl:
>> Hi,
>>
>> is there any difference in the output of the following two search requests?
>>
>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>    -b ou=People,dc=uni-koeln,dc=de  \
>>
>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>
>>
>>
>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>    -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
>>
>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>
>>
>> Regards,
>>
>> Mark
>>
>>
>> Am 19.10.2012 16:05, schrieb Berthold Cogel:
>>> Hello!
>>>
>>> I've configured kerberos with an LDAP backend and I'm now trying to fill
>>> it with users.
>>>
>>> System: RHEL5
>>> Kerberos: 1.6.1-70.el5 (MIT)
>>> LDAP: openldap-ltb-2.4.28-1.el5
>>>
>>> Kerberos is talking to the local LDAP via LDAPI.
>>>
>>> The setup is working for all principals in the kerberos container. I can
>>> do a kinit an get a ticket...
>>> I also did an
>>> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE  -subtrees
>>> ou=people,dc=uni-koeln,dc=de
>>>
>>> I did an ldapadd for some testusers followed by an addprinc for each
>>> testuser. A listprincs shows the principals of these testusers.
>>>
>>> But when I try to do a kinit I get this:
>>>
>>> kinit a0537
>>> kinit(v5): Client not found in Kerberos database while getting initial
>>> credentials
>>>
>>> This happens for each principal in the ou=People.
>>>
>>> The ldapsearch with the first part of the krb5 request in the LDAP log
>>> shows this:
>>>
>>> ldapsearch -x -ZZ -H ldap://... -D cn=... -W
>>> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>>
>>> scope=2 deref=0
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <> with scope subtree
>>> # filter:
>>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
>>>
>>> # requesting: scope=2 deref=0
>>> #
>>>
>>> # a0537, People, uni-koeln.de
>>> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
>>>
>>> # search result
>>> search: 3
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>>
>>> So the principal is in the tree. The complete krb5 request in the LDAP
>>> log looks like this:
>>>
>>>
>>> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
>>> (PATH=/var/run/ldapi)
>>> slapd[9882]: conn=230710 op=0 BIND
>>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
>>> slapd[9882]: conn=230710 op=0 BIND
>>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
>>> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
>>> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
>>> scope=2 deref=0
>>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>>
>>>
>>> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
>>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>>> krbExtraData krbObjectReferences
>>> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0
>>> text=
>>> slapd[9882]: conn=230710 op=2 SRCH
>>> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
>>> deref=0
>>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>>
>>>
>>> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
>>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>>> krbExtraData krbObjectReferences
>>>
>>>
>>> I don't understand what is happening. And I don't know, where to look.
>>>
>>>
>>> Regards
>>>
>>> Berthold Cogel
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>
> What I get is this:
>
>
> ldapsearch -Y EXTERNAL -H ldapi:// -b ou=People,dc=uni-koeln,dc=de
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <ou=People,dc=uni-koeln,dc=de> with scope subtree
> # filter:
> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
>
>
>
> ldapsearch -Y EXTERNAL -H ldapi:// -b
> cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope
> subtree
> # filter:
> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
>
> Regards
>
> Berthold
>

sorry, i missed that MIT is not using SASL/EXTERNAL. Please try again with

root at kdc # ldapsearch -x -D <BIND_DN> -W -H ldapi:// -b 
ou=People,dc=uni-koeln,dc=de 
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_1>@RRZ.UNI-KOELN.DE))'

root at kdc # ldapsearch -x  -D <BIND_DN> -W  -H ldapi:// -b 
cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de 
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_2>@RRZ.UNI-KOELN.DE))'

- Replace <BIND_DN> by the value of ldap_kdc_dn from your
   kdc.conf (or krb5.conf)

- Replace <USER_1> by a kerberos principal entry that is
   stored below ou=People

- Replace <USER_2> by a kerberos principal entry that is
   stored below cn=RRZ.UNI KOELN.DE,ou=Kerberos


Do these LDAP searches result in different attribute sets?

Regards,

Mark Pröhl

More information about the Kerberos mailing list