kdb5_ldap_util fails, no idea why

Dr. Lars Hanke debian at lhanke.de
Mon Nov 7 08:47:23 EST 2016


I had a brief look at the scripts - well, the idea to understand the 
relevant parts and reproduce on my own seems laborous at least. I guess 
I'll set up a VM, install your system and try to understand, what it did.

Thank you,
  - lars.

Am 06.11.2016 um 11:25 schrieb t Seeger:
> Hello,
>
> I made a installer script to setup a Kerberos server with ldap 
> backend. It is for ubuntu or debian only. The script is not perfect 
> and for testing, but should guide you in the right direction. You can 
> find it under: https://wp.tntnet.eu/?p=112
>
> Thorsten
>
> Von meinem iPhone gesendet
>
> Am 05.11.2016 um 22:03 schrieb Dr. Lars Hanke <debian at lhanke.de 
> <mailto:debian at lhanke.de>>:
>
>> I'm currently setting up a new KDC for a new domain. I also have a shiny
>> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>> fine, there is no specific data in it yet.
>>
>> Trying to create the Kerberos container, I get the following error:
>>
>> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>> dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
>> Password for "cn=admin,dc=microsult,dc=de":
>> Initializing database for realm 'UAC.MICROSULT.DE'
>> You will be prompted for the database Master Password.
>> It is important that you NOT FORGET this password.
>> Enter KDC database master key:
>> Re-enter KDC database master key to verify:
>> kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
>> while creating realm 'UAC.MICROSULT.DE'
>>
>> I read somewhere that this may be due to the kerberos container not
>> being a CN attribute. Actually I see in the debug trace of OpenLDAP that
>> it denies dc=microsult,dc=de since it's not a CN.
>>
>> Am I supposed to create a CN node under my TLD and use this? I don't
>> quite understand how the final layout in LDAP is supposed to be and how
>> to put that into arguments for kdb5_ldap_util.
>>
>> Any closer explanation is appreciated. Thanks for your help,
>>
>>  - lars.
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list