kinit failure with Kerberos and LDAP backend
Berthold Cogel
cogel at uni-koeln.de
Mon Oct 22 04:34:35 EDT 2012
Am 21.10.2012 17:48, schrieb Berthold Cogel:
> Am 21.10.2012 08:39, schrieb Mark Pröhl:
>> Am 21.10.2012 00:21, schrieb Berthold Cogel:
>>> Am 19.10.2012 20:02, schrieb Mark Pröhl:
>>>> Hi,
>>>>
>>>> is there any difference in the output of the following two search
>>>> requests?
>>>>
>>>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>>> -b ou=People,dc=uni-koeln,dc=de \
>>>>
>>>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>>>
>>>>
>>>>
>>>>
>>>> root at kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>>> -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \
>>>>
>>>> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=a0537 at RRZ.UNI-KOELN.DE))'
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Mark
>>>>
>>>>
I got an hint from a former colleague and tried this on all three KDCs:
kadmin.local -q "getprinc a0537"
On the master I get
kadmin.local -q "getprinc a0537"
Authenticating as principal root/admin at RRZ.UNI-KOELN.DE with password.
Principal: a0537 at RRZ.UNI-KOELN.DE
Expiration date: [never]
Last password change: Fri Oct 19 14:27:36 CEST 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Oct 19 14:27:36 CEST 2012 (root/admin at RRZ.UNI-KOELN.DE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: default
On both slaves:
kadmin.local -q "getprinc a0537"
Authenticating as principal root/admin at RRZ.UNI-KOELN.DE with password.
get_principal: Principal does not exist while retrieving
"a0537 at RRZ.UNI-KOELN.DE".
For the principal not in ou=People it's this on the master
kadmin.local -q "getprinc bco"
Authenticating as principal root/admin at RRZ.UNI-KOELN.DE with password.
Principal: bco at RRZ.UNI-KOELN.DE
Expiration date: [never]
Last password change: Tue May 29 11:25:51 CEST 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Sep 24 16:21:00 CEST 2012 (root/admin at RRZ.UNI-KOELN.DE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: default
and on both slaves:
kadmin.local -q "getprinc bco"
Authenticating as principal root/admin at RRZ.UNI-KOELN.DE with password.
Principal: bco at RRZ.UNI-KOELN.DE
Expiration date: [never]
Last password change: Tue May 29 11:25:51 CEST 2012
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Sep 24 16:21:00 CEST 2012 (root/admin at RRZ.UNI-KOELN.DE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: default
Regards
Berthold
More information about the Kerberos
mailing list