Error messages

Greg Hudson ghudson at MIT.EDU
Sat Oct 12 23:04:19 EDT 2013 

On 10/12/2013 07:39 PM, Rick van Rein (OpenFortress) wrote:
> * I seem to need to run "kdb5_util create" to construct a principal file with a random pool, even when running on an LDAP backend

This should not be required.  A "principal file" sounds like a DB2 
database (since the DB2 KDB module uses the default base name of 
"principal" inside the KDC directory), which you aren't using.  A 
"random pool" doesn't sound like anything in our KDC architecture.

> * The master key is entered into "kdb5_util create /var/lib/kerberos/principal.`echo $REALM | tr A-Z a-z`"
> * I then run "kdb5_ldap_util -s -D uid=root,$ROOTDN create -r $REALM" and have (in /etc/krb5.conf) ldap_kerberos_container_dn stored in a [dbmodules] entry appointed as the database_module in [dbdefaults]
> * This asks for initialisation of the master database key /again/ which I fill with the same value as for "kdb5_util create"

You should only be prompted for the master key once, if you omit the 
unnecessary first command.  (kdb5_util create does not take an argument, 
so the filename you entered there isn't used.)

> * I then run "kdb5_ldap_util stashpwd" twice; once to extract the KDC key and once to extract the Kadmin key
> * These two runs each ask me for one of the strings generated in the second step
> * I combine the retrieved KDC and Kadmin keys into one file appointed by (in /etc/krb5.conf) ldap_service_password_file in a [dbmodules] entry appointed as database_module in [dbdefaults].

You don't need to manually combine the KDC and kadmin keys.  kdb5_util 
stashsrvpw appends to the service password file.

> * The KDC key is translated to 1008 bits (?), the Kadmin key is only mapped to hex (?!?)

Both the KDC and kadmin passwords should only be mapped to one line 
containing the DN and a hex password.  If you are seeing binary data 
ahead of that, then you accidentally appended the LDAP password line to 
the master key stash file (which is a common mistake, partly because 
"stashsrvpw" is an unfortunate command name).

More information about the Kerberos mailing list