ldap database error when creating initial stash

Michael Aldridge michael.aldridge at utdallas.edu
Thu Jun 30 15:02:25 EDT 2016


After asking on IRC the answer turned out to be pretty silly.  For
anyone in the future looking for what this error means, make sure you
have your default realm set in either krb5.conf or kdc.conf as not
having the default set can raise this error.

At this time my KDC is happily running and serving the network.

--Michael

On 06/30/2016 11:15 AM, Michael Aldridge wrote:
> Yes, once converted it should be *.ldif.
> 
> --Michael
> 
> On 06/30/2016 11:01 AM, Todd Grayson wrote:
>> sorry "kerberos.ldif" not "schema.ldif"
>>
>> On Thu, Jun 30, 2016 at 10:00 AM, Todd Grayson <tgrayson at cloudera.com
>> <mailto:tgrayson at cloudera.com>> wrote:
>>
>>     Is the file supposed to be schema.ldif once its converted that way?
>>
>>     On Thu, Jun 30, 2016 at 9:58 AM, Todd Grayson <tgrayson at cloudera.com
>>     <mailto:tgrayson at cloudera.com>> wrote:
>>
>>         The discussion in the mail list I sent, the error emerged as it
>>         was parsing broken schema information in the file...
>>
>>         On Thu, Jun 30, 2016 at 9:55 AM, Michael Aldridge
>>         <michael.aldridge at utdallas.edu
>>         <mailto:michael.aldridge at utdallas.edu>> wrote:
>>
>>             Todd,
>>
>>             You are correct that that is in ldif format.  The ldap
>>             server gets built
>>             up by using the bare minimum to get it online and then all
>>             the other
>>             schemata and associated files are loaded in with the server
>>             online.
>>
>>             The distro is Void Linux, with kerberos version 1.14.2.
>>
>>             I must admit I'm struggling to see what you are seeing.  The
>>             error text
>>             to me sounds like it can't even find the ldap backend, much
>>             less try to
>>             actually talk to it.  Can you explain why you think this
>>             might be a
>>             schema error?
>>
>>             --Michael
>>
>>             On 06/30/2016 09:06 AM, Todd Grayson wrote:
>>             > Michael, I apologize but I'm not familiar with that kind of formatting
>>             > for the kerberos.schema file... the one I'm looking at looks like this
>>             > (segment).
>>             >
>>             > What linux distro/versions are you working over?
>>             >
>>             > That almost looks like the kind of format you would see converting the
>>             > .schema to .ldif or something?
>>             >
>>             > Not being able to parse the schema file is what I was pointing out for
>>             > that error...
>>             >
>>             > --- snip of kerberos.schema as provided in ubuntu ---
>>             >
>>             > attributetype ( 2.16.840.1.113719.1.301.4.1.1
>>             >                 NAME 'krbPrincipalName'
>>             >                 EQUALITY caseExactIA5Match
>>             > SUBSTR caseExactSubstringsMatch
>>             >                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
>>             >
>>             > ...
>>             > ...
>>             >
>>             > objectclass ( 2.16.840.1.113719.1.301.6.16.1
>>             >                 NAME 'krbTicketPolicyAux'
>>             >                 SUP top
>>             >                 AUXILIARY
>>             >                 MAY ( krbTicketFlags $ krbMaxTicketLife $
>>             > krbMaxRenewableAge ) )
>>             >
>>             >
>>             > On Thu, Jun 30, 2016 at 12:48 AM, Michael Aldridge
>>             > <michael.aldridge at utdallas.edu
>>             <mailto:michael.aldridge at utdallas.edu>
>>             <mailto:michael.aldridge at utdallas.edu
>>             <mailto:michael.aldridge at utdallas.edu>>>
>>             > wrote:
>>             >
>>             >     While I have not done an in depth comparison, my schema would appear to
>>             >     just be a re-formatted version of the schema provided in the source
>>             >     tree.  I believe I originally obtained it from an ubuntu release
>>             >     slightly more than a year ago.  What is striking here is that this all
>>             >     worked less than a month ago on my test platform.
>>             >
>>             >     For the curious, here is the schema I'm using:
>>             >     https://raw.githubusercontent.com/collegiumv/cv_config/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
>>             >
>>             >     --Michael
>>             >
>>             >     On 06/30/2016 01:25 AM, Todd Grayson wrote:
>>             >     > Got schema issues?  Perhaps?
>>             >     >
>>             >     > http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
>>             >     >
>>             >     > Magic google phrase:
>>             >     >
>>             >     > openldap kerberos schema "Unable to find requested database type"
>>             >     >
>>             >     > On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge
>>             >     > <michael.aldridge at utdallas.edu
>>             <mailto:michael.aldridge at utdallas.edu>
>>             >     <mailto:michael.aldridge at utdallas.edu
>>             <mailto:michael.aldridge at utdallas.edu>>
>>             >     <mailto:michael.aldridge at utdallas.edu
>>             <mailto:michael.aldridge at utdallas.edu>
>>             >     <mailto:michael.aldridge at utdallas.edu
>>             <mailto:michael.aldridge at utdallas.edu>>>>
>>             >     > wrote:
>>             >     >
>>             >     >     Greetings,
>>             >     >
>>             >     >     I hope I am emailing the correct list and if I am not then please accept
>>             >     >     my apology.  I am in the process of standing up a pair of KDCs and I am
>>             >     >     encountering this error when attempting to create the initial password
>>             >     >     stash for accessing the ldap server that backs the kerberos database:
>>             >     >
>>             >     >     kdb5_ldap_util: Unable to find requested database type while setting up
>>             >     >     lib handle
>>             >     >
>>             >     >     The command I ran to get that error message is:
>>             >     >
>>             >     >     sudo kdb5_ldap_util -D "cn=krbAdmService,dc=collegiumv,dc=org"
>>             >     >     stashsrvpw -f /var/krb5kdc/ldap.keyfile
>>             >     >     "cn=krbAdmService,dc=collegiumv,dc=org"
>>             >     >
>>             >     >     I have used my best google-fu but still come up empty.  I can see
>>             >     >     several people who seem to have had the same issue, but I cannot find a
>>             >     >     solution.  I appreciate any insight to this error.
>>             >     >
>>             >     >     --Michael
>>             >     >
>>             >     >     --
>>             >     >     Michael Aldridge
>>             >     >     Network Administrator
>>             >     >     Collegium V Honors College
>>             >     >     The University of Texas at Dallas
>>             >     >     ________________________________________________
>>             >     >     Kerberos mailing list           Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>>             <mailto:Kerberos at mit.edu <mailto:Kerberos at mit.edu>>
>>             >     >     <mailto:Kerberos at mit.edu
>>             <mailto:Kerberos at mit.edu> <mailto:Kerberos at mit.edu
>>             <mailto:Kerberos at mit.edu>>>
>>             >     >     https://mailman.mit.edu/mailman/listinfo/kerberos
>>             >     >
>>             >     >
>>             >     >
>>             >     >
>>             >     > --
>>             >     > Todd Grayson
>>             >     > Business Operations Manager
>>             >     > Customer Operations Engineering
>>             >     > Security SME
>>             >     >
>>             >     ________________________________________________
>>             >     Kerberos mailing list           Kerberos at mit.edu
>>             <mailto:Kerberos at mit.edu>
>>             >     <mailto:Kerberos at mit.edu <mailto:Kerberos at mit.edu>>
>>             >     https://mailman.mit.edu/mailman/listinfo/kerberos
>>             >
>>             >
>>             >
>>             >
>>             > --
>>             > Todd Grayson
>>             > Business Operations Manager
>>             > Customer Operations Engineering
>>             > Security SME
>>             >
>>
>>             ________________________________________________
>>             Kerberos mailing list           Kerberos at mit.edu
>>             <mailto:Kerberos at mit.edu>
>>             https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>>
>>         -- 
>>         Todd Grayson
>>         Business Operations Manager
>>         Customer Operations Engineering
>>         Security SME
>>
>>
>>
>>
>>     -- 
>>     Todd Grayson
>>     Business Operations Manager
>>     Customer Operations Engineering
>>     Security SME
>>
>>
>>
>>
>> -- 
>> Todd Grayson
>> Business Operations Manager
>> Customer Operations Engineering
>> Security SME
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


More information about the Kerberos mailing list