kinit failure with Kerberos and LDAP backend
Berthold Cogel
cogel at uni-koeln.de
Sat Oct 20 18:21:50 EDT 2012
Am 19.10.2012 20:02, schrieb Mark Pröhl:
> Hi,
>
> is there any difference in the output of the following two search requests?
>
> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
> -b ou=People,dc=uni-koeln,dc=de \
>
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>
>
>
> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
> -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
>
> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>
>
> Regards,
>
> Mark
>
>
> Am 19.10.2012 16:05, schrieb Berthold Cogel:
>> Hello!
>>
>> I've configured kerberos with an LDAP backend and I'm now trying to fill
>> it with users.
>>
>> System: RHEL5
>> Kerberos: 1.6.1-70.el5 (MIT)
>> LDAP: openldap-ltb-2.4.28-1.el5
>>
>> Kerberos is talking to the local LDAP via LDAPI.
>>
>> The setup is working for all principals in the kerberos container. I can
>> do a kinit an get a ticket...
>> I also did an
>> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees
>> ou=people,dc=uni-koeln,dc=de
>>
>> I did an ldapadd for some testusers followed by an addprinc for each
>> testuser. A listprincs shows the principals of these testusers.
>>
>> But when I try to do a kinit I get this:
>>
>> kinit a0537
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
>>
>> This happens for each principal in the ou=People.
>>
>> The ldapsearch with the first part of the krb5 request in the LDAP log
>> shows this:
>>
>> ldapsearch -x -ZZ -H ldap://... -D cn=... -W
>> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>
>> scope=2 deref=0
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope subtree
>> # filter:
>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
>>
>> # requesting: scope=2 deref=0
>> #
>>
>> # a0537, People, uni-koeln.de
>> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de
>>
>> # search result
>> search: 3
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> So the principal is in the tree. The complete krb5 request in the LDAP
>> log looks like this:
>>
>>
>> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi
>> (PATH=/var/run/ldapi)
>> slapd[9882]: conn=230710 op=0 BIND
>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128
>> slapd[9882]: conn=230710 op=0 BIND
>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0
>> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text=
>> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de"
>> scope=2 deref=0
>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>
>>
>> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass
>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>> krbExtraData krbObjectReferences
>> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0
>> text=
>> slapd[9882]: conn=230710 op=2 SRCH
>> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2
>> deref=0
>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))"
>>
>>
>> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass
>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange
>> krbExtraData krbObjectReferences
>>
>>
>> I don't understand what is happening. And I don't know, where to look.
>>
>>
>> Regards
>>
>> Berthold Cogel
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
What I get is this:
ldapsearch -Y EXTERNAL -H ldapi:// -b ou=People,dc=uni-koeln,dc=de
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=uni-koeln,dc=de> with scope subtree
# filter:
(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
# requesting: ALL
#
# search result
search: 2
result: 0 Success
ldapsearch -Y EXTERNAL -H ldapi:// -b
cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de
'(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope
subtree
# filter:
(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Regards
Berthold
More information about the Kerberos
mailing list