kdb5_ldap_util fails, no idea why

t Seeger tseegerkrb at gmail.com
Tue Nov 8 08:00:53 EST 2016


Hello,

You can add the principals under the users cn this is possible too. You just need to specify the dn of the user, while adding it.
For GSSAPI I use the olcAuthzRegexp to transfer to the ldap objects. My userPassword attribute looks like: {SASL}username at REALM.

-Thorsten


Von meinem iPhone gesendet

> Am 08.11.2016 um 13:34 schrieb Dr. Lars Hanke <debian at lhanke.de>:
> 
> ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de made it succeed.This is however not mentioned in the HOWTO.From the documentation of -subtree I thought that the Principals would somehow be stored with the User and Machine entries, i.e. not in a seperate tree. So the idea for GSSAPI binding of users or machines will be to use authz?
> 
> Thanks for the help,
> - lars.
> 
>> Am 08.11.2016 um 08:58 schrieb t Seeger:
>> Hello,
>> 
>> did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
>> 
>> 
>> [dbmodules]
>>    LDAP = {
>>       db_library = kldap
>>       ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de
>>       ....
>>      }
>> 
>> - Thorsten
>> 
>> Von meinem iPhone gesendet
>> 
>>>> Am 07.11.2016 um 17:14 schrieb Dr. Lars Hanke <debian at lhanke.de>:
>>>> 
>>>> Am 07.11.2016 um 15:06 schrieb Todd Grayson:
>>>> From that error message you need to provide the schema file for the
>>>> kerebros ldap objects to your directory instance. Can we assume you
>>>> followed top down the instructions from here?
>>>> 
>>>> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
>>> Yes, this is my main source. It seems I have the schema on my LDAP:
>>> 
>>> ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
>>> SASL/EXTERNAL authentication started
>>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>> SASL SSF: 0
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=schema,cn=config> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: dn
>>> #
>>> 
>>> # schema, config
>>> dn: cn=schema,cn=config
>>> 
>>> # {0}core, schema, config
>>> dn: cn={0}core,cn=schema,cn=config
>>> 
>>> # {1}cosine, schema, config
>>> dn: cn={1}cosine,cn=schema,cn=config
>>> 
>>> # {2}nis, schema, config
>>> dn: cn={2}nis,cn=schema,cn=config
>>> 
>>> # {3}inetorgperson, schema, config
>>> dn: cn={3}inetorgperson,cn=schema,cn=config
>>> 
>>> # {4}samba, schema, config
>>> dn: cn={4}samba,cn=schema,cn=config
>>> 
>>> # {5}kerberos, schema, config
>>> dn: cn={5}kerberos,cn=schema,cn=config
>>> 
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> 
>>> # numResponses: 8
>>> # numEntries: 7
>>> 
>>> I admit that I did not understand why in that Howto many more schemas
>>> were included to produce the LDIF for the Kerberos schema, but at least
>>> OpenLDAP did accept it.
>>> 
>>> Thanks,
>>>  - lars.
>>>> 
>>>> 
>>>> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian at lhanke.de
>>>> <mailto:debian at lhanke.de>> wrote:
>>>> 
>>>>    I'm currently setting up a new KDC for a new domain. I also have a
>>>>    shiny
>>>>    new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>>>>    fine, there is no specific data in it yet.
>>>> 
>>>>    Trying to create the Kerberos container, I get the following error:
>>>> 
>>>>    kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>>>>    dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
>>>>    -s -H ldap:///
>>>>    Password for "cn=admin,dc=microsult,dc=de":
>>>>    Initializing database for realm 'UAC.MICROSULT.DE
>>>>    <http://UAC.MICROSULT.DE>'
>>>>    You will be prompted for the database Master Password.
>>>>    It is important that you NOT FORGET this password.
>>>>    Enter KDC database master key:
>>>>    Re-enter KDC database master key to verify:
>>>>    kdb5_ldap_util: Kerberos Container create FAILED: Object class
>>>>    violation
>>>>    while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
>>>> 
>>>>    I read somewhere that this may be due to the kerberos container not
>>>>    being a CN attribute. Actually I see in the debug trace of
>>>>    OpenLDAP that
>>>>    it denies dc=microsult,dc=de since it's not a CN.
>>>> 
>>>>    Am I supposed to create a CN node under my TLD and use this? I don't
>>>>    quite understand how the final layout in LDAP is supposed to be
>>>>    and how
>>>>    to put that into arguments for kdb5_ldap_util.
>>>> 
>>>>    Any closer explanation is appreciated. Thanks for your help,
>>>> 
>>>>      - lars.
>>>> 
>>>> 
>>>>    ________________________________________________
>>>>    Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>>>>    https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>    <https://mailman.mit.edu/mailman/listinfo/kerberos>
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Todd Grayson
>>>> Business Operations Manager
>>>> Customer Operations Engineering
>>>> Security SME
>>>> 
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 



More information about the Kerberos mailing list