Help pls : KDC w/LDAP backend

Pascal Jakobi pascal.jakobi at
Sun Jan 1 07:52:19 EST 2017

Hi there

I am trying to install a KDC with an OpenLDAP backend, following
instructions found on the MIT kerberos site. Installation went fine and I
can see that the default principals have been created (kadmin, krbtgt & so

However, I cannot add new principals :
   kadmin.local -q "addprinc -pw password root"
  Authenticating as principal root/admin at JAKOBI.FR with password.
  WARNING: no policy specified for root at JAKOBI.FR; defaulting to no policy
  *add_principal: Principal add failed: Insufficient access while creating
"root at JAKOBI.FR <root at JAKOBI.FR>".*

Digging a bit further, I could see the following with wireshark (after
binding to the Directory as kadmin) :
147    21.719670222    LDAP    1028
addRequest(7) "krbprincipalname=root at JAKOBI.FR,cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr"

148    21.720138441    LDAP    107
addResponse(7) *insufficientAccessRights (no write access to parent) *

My LDAP ACLs are as follows :
   {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=jakobi,dc=fr" write by anonymous auth by self write by *
   {1}to dn.base="" by * read
   {2}to * by dn="cn=admin,dc=jakobi,dc=fr" write by * read
   {3}to dn.subtree="cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr" by
dn.exact="cn=kdc,ou=People,dc=jakobi,dc=fr" read
*   {4}to dn.subtree="cn=kerberos,dc=jakobi,dc=fr" by
dn.exact="cn=kadmin,ou=People,dc=jakobi,dc=fr" write*

if ACL #4 refers to *dn.subtree="**cn=JAKOBI.FR
<http://JAKOBI.FR>,cn=kerberos,dc=jakobi,dc=fr"* (shouldn'it be the parent
of the target principal?), result is the same.

As far as I understand, rule #4 should allow me to to write within the
realm subtree...

Can someone enlighten me ?

Thanks in adv.
*Pascal Jakobi*
116 rue de Stalingrad
93100 Montreuil, France

*+33 6 87 47 58 19*Pascal.Jakobi at

More information about the krbdev mailing list