kdb5_ldap_util fails, no idea why
Dr. Lars Hanke
debian at lhanke.de
Mon Nov 7 11:14:02 EST 2016
Am 07.11.2016 um 15:06 schrieb Todd Grayson:
> From that error message you need to provide the schema file for the
> kerebros ldap objects to your directory instance. Can we assume you
> followed top down the instructions from here?
>
> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
Yes, this is my main source. It seems I have the schema on my LDAP:
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=schema,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: dn
#
# schema, config
dn: cn=schema,cn=config
# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config
# {1}cosine, schema, config
dn: cn={1}cosine,cn=schema,cn=config
# {2}nis, schema, config
dn: cn={2}nis,cn=schema,cn=config
# {3}inetorgperson, schema, config
dn: cn={3}inetorgperson,cn=schema,cn=config
# {4}samba, schema, config
dn: cn={4}samba,cn=schema,cn=config
# {5}kerberos, schema, config
dn: cn={5}kerberos,cn=schema,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 7
I admit that I did not understand why in that Howto many more schemas
were included to produce the LDIF for the Kerberos schema, but at least
OpenLDAP did accept it.
Thanks,
- lars.
>
>
>
> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian at lhanke.de
> <mailto:debian at lhanke.de>> wrote:
>
> I'm currently setting up a new KDC for a new domain. I also have a
> shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
> -s -H ldap:///
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE
> <http://UAC.MICROSULT.DE>'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class
> violation
> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of
> OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be
> and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
> https://mailman.mit.edu/mailman/listinfo/kerberos
> <https://mailman.mit.edu/mailman/listinfo/kerberos>
>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
More information about the Kerberos
mailing list