kdb5_ldap_util fails, no idea why
t Seeger
tseegerkrb at gmail.com
Tue Nov 8 02:58:42 EST 2016
Hello,
did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
[dbmodules]
LDAP = {
db_library = kldap
ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de
....
}
- Thorsten
Von meinem iPhone gesendet
> Am 07.11.2016 um 17:14 schrieb Dr. Lars Hanke <debian at lhanke.de>:
>
>> Am 07.11.2016 um 15:06 schrieb Todd Grayson:
>> From that error message you need to provide the schema file for the
>> kerebros ldap objects to your directory instance. Can we assume you
>> followed top down the instructions from here?
>>
>> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
> Yes, this is my main source. It seems I have the schema on my LDAP:
>
> ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema,cn=config> with scope subtree
> # filter: (objectclass=*)
> # requesting: dn
> #
>
> # schema, config
> dn: cn=schema,cn=config
>
> # {0}core, schema, config
> dn: cn={0}core,cn=schema,cn=config
>
> # {1}cosine, schema, config
> dn: cn={1}cosine,cn=schema,cn=config
>
> # {2}nis, schema, config
> dn: cn={2}nis,cn=schema,cn=config
>
> # {3}inetorgperson, schema, config
> dn: cn={3}inetorgperson,cn=schema,cn=config
>
> # {4}samba, schema, config
> dn: cn={4}samba,cn=schema,cn=config
>
> # {5}kerberos, schema, config
> dn: cn={5}kerberos,cn=schema,cn=config
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 8
> # numEntries: 7
>
> I admit that I did not understand why in that Howto many more schemas
> were included to produce the LDIF for the Kerberos schema, but at least
> OpenLDAP did accept it.
>
> Thanks,
> - lars.
>>
>>
>>
>> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian at lhanke.de
>> <mailto:debian at lhanke.de>> wrote:
>>
>> I'm currently setting up a new KDC for a new domain. I also have a
>> shiny
>> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>> fine, there is no specific data in it yet.
>>
>> Trying to create the Kerberos container, I get the following error:
>>
>> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
>> -s -H ldap:///
>> Password for "cn=admin,dc=microsult,dc=de":
>> Initializing database for realm 'UAC.MICROSULT.DE
>> <http://UAC.MICROSULT.DE>'
>> You will be prompted for the database Master Password.
>> It is important that you NOT FORGET this password.
>> Enter KDC database master key:
>> Re-enter KDC database master key to verify:
>> kdb5_ldap_util: Kerberos Container create FAILED: Object class
>> violation
>> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
>>
>> I read somewhere that this may be due to the kerberos container not
>> being a CN attribute. Actually I see in the debug trace of
>> OpenLDAP that
>> it denies dc=microsult,dc=de since it's not a CN.
>>
>> Am I supposed to create a CN node under my TLD and use this? I don't
>> quite understand how the final layout in LDAP is supposed to be
>> and how
>> to put that into arguments for kdb5_ldap_util.
>>
>> Any closer explanation is appreciated. Thanks for your help,
>>
>> - lars.
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> <https://mailman.mit.edu/mailman/listinfo/kerberos>
>>
>>
>>
>>
>> --
>> Todd Grayson
>> Business Operations Manager
>> Customer Operations Engineering
>> Security SME
>>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list