kdb5_ldap_util fails, no idea why

t Seeger tseegerkrb at gmail.com
Tue Nov 8 07:16:43 EST 2016 

Hello Lars,

I corrected a little bug in my script so please use the new version https://wp.tntnet.eu/?p=112 . The bug is only a problem in a multimaster setup, cause the keytab is not updated correctly.

- Thorsten

Von meinem iPhone gesendet

> Am 08.11.2016 um 08:58 schrieb t Seeger <tseegerkrb at gmail.com>:
> 
> Hello,
> 
> did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
> 
> 
> [dbmodules]
>   LDAP = {
>      db_library = kldap
>      ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de
>      ....
>     }
> 
> - Thorsten 
> 
> Von meinem iPhone gesendet
> 
>>> Am 07.11.2016 um 17:14 schrieb Dr. Lars Hanke <debian at lhanke.de>:
>>> 
>>> Am 07.11.2016 um 15:06 schrieb Todd Grayson:
>>> From that error message you need to provide the schema file for the 
>>> kerebros ldap objects to your directory instance. Can we assume you 
>>> followed top down the instructions from here?
>>> 
>>> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
>> Yes, this is my main source. It seems I have the schema on my LDAP:
>> 
>> ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=schema,cn=config> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: dn
>> #
>> 
>> # schema, config
>> dn: cn=schema,cn=config
>> 
>> # {0}core, schema, config
>> dn: cn={0}core,cn=schema,cn=config
>> 
>> # {1}cosine, schema, config
>> dn: cn={1}cosine,cn=schema,cn=config
>> 
>> # {2}nis, schema, config
>> dn: cn={2}nis,cn=schema,cn=config
>> 
>> # {3}inetorgperson, schema, config
>> dn: cn={3}inetorgperson,cn=schema,cn=config
>> 
>> # {4}samba, schema, config
>> dn: cn={4}samba,cn=schema,cn=config
>> 
>> # {5}kerberos, schema, config
>> dn: cn={5}kerberos,cn=schema,cn=config
>> 
>> # search result
>> search: 2
>> result: 0 Success
>> 
>> # numResponses: 8
>> # numEntries: 7
>> 
>> I admit that I did not understand why in that Howto many more schemas 
>> were included to produce the LDIF for the Kerberos schema, but at least 
>> OpenLDAP did accept it.
>> 
>> Thanks,
>> - lars.
>>> 
>>> 
>>> 
>>> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian at lhanke.de 
>>> <mailto:debian at lhanke.de>> wrote:
>>> 
>>>   I'm currently setting up a new KDC for a new domain. I also have a
>>>   shiny
>>>   new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>>>   fine, there is no specific data in it yet.
>>> 
>>>   Trying to create the Kerberos container, I get the following error:
>>> 
>>>   kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>>>   dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
>>>   -s -H ldap:///
>>>   Password for "cn=admin,dc=microsult,dc=de":
>>>   Initializing database for realm 'UAC.MICROSULT.DE
>>>   <http://UAC.MICROSULT.DE>'
>>>   You will be prompted for the database Master Password.
>>>   It is important that you NOT FORGET this password.
>>>   Enter KDC database master key:
>>>   Re-enter KDC database master key to verify:
>>>   kdb5_ldap_util: Kerberos Container create FAILED: Object class
>>>   violation
>>>   while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
>>> 
>>>   I read somewhere that this may be due to the kerberos container not
>>>   being a CN attribute. Actually I see in the debug trace of
>>>   OpenLDAP that
>>>   it denies dc=microsult,dc=de since it's not a CN.
>>> 
>>>   Am I supposed to create a CN node under my TLD and use this? I don't
>>>   quite understand how the final layout in LDAP is supposed to be
>>>   and how
>>>   to put that into arguments for kdb5_ldap_util.
>>> 
>>>   Any closer explanation is appreciated. Thanks for your help,
>>> 
>>>     - lars.
>>> 
>>> 
>>>   ________________________________________________
>>>   Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>>>   https://mailman.mit.edu/mailman/listinfo/kerberos
>>>   <https://mailman.mit.edu/mailman/listinfo/kerberos>
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Todd Grayson
>>> Business Operations Manager
>>> Customer Operations Engineering
>>> Security SME
>>> 
>> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list