Re: Problem with Kerberos5 using LDAP backend
2012/3/6 emmanuel segura <emi2fast@gmail.com>:
> try to change
> ==========================
>
> [domain_realm]
> .example.es = example.ES
> example.es = example.ES
> ==========================
> to
> ==========================
> [domain_realm]
> .example.es = EXAMPLE.ES
> example.es = EXAMPLE.ES
>
>
> Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez
> <cer.inet@linuxmail.org> ha scritto:
>>
>> Hi there!
>>
>> I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
>> I've followed the debian and ubuntu documentation and I find some
>> issues I can't solve:
>>
>> · I fill the LDAP tree using the "kdb5_ldap_util" as seen in
>> documentation. The LDAP server is correctly written.
>> · The stash are created, with the neccesary credentials.
>> · When initializing the admin interface, with kadmin.local, i get:
>>
>> kadmind[26023](Error): Can not fetch master key (error: Cannot
>> find/read stored master key). while initializing, aborting
>>
>> The same when starting the service in /etc/init.d. In both cases, the
>> LDAP server is strongly readed:
>>
>> krb5kdc: Can not fetch master key (error: Cannot find/read stored
>> master key). - while fetching master key K/M for realm EXAMPLE.ES
>>
>> So, I think the options are:
>> 1) In the LDAP server some information is missing (a bug in
>> kdb5_ldap_util?)
>> 2) There is something I don't understand in the procedure.
>>
>> My config is:
>>
>> ##################
>> cat /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = EXAMPLE.ES
>> forwadable = true
>> proxiable = true
>>
>> [realms]
>>
>> EXAMPLE.ES = {
>> kdc = krb-krb.example.es
>> admin_server = krb-krb.example.es
>> default_domain = example.es
>> database_module = openldap_ldapconf
>> }
>>
>> [domain_realm]
>> .example.es = example.ES
>> example.es = example.ES
>>
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>
>> [logging]
>> kdc = FILE:/var/log/kerberos/krb5kdc.log
>> admin_server = FILE:/var/log/kerberos/kadmin.log
>> default = FILE:/var/log/kerberos/krb5lib.log
>>
>> [dbdefaults]
>> ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es
>>
>> [dbmodules]
>> openldap_ldapconf = {
>> db_library = kldap
>> ldap_kdc_dn = "cn=admin,dc=example,dc=es"
>>
>> # this object needs to have read rights on
>> # the realm container, principal container and realm
>> sub-trees
>> ldap_kadmind_dn = "cn=admin,dc=example,dc=es"
>>
>> # this object needs to have read and write rights on
>> # the realm container, principal container and realm
>> sub-trees
>> ldap_service_password_file = /etc/krb5kdc/service.keyfile
>> ldap_servers = ldap://krb-ldap.example.es
>> ldap_conns_per_server = 5
>> }
>>
>> ##################
>>
>> cat /etc/krb5kdc/kdc.conf
>>
>> [kdcdefaults]
>> kdc_ports = 750,88
>>
>> [realms]
>> example.ES = {
>> database_name = /var/lib/krb5kdc/principal
>> acl_file = /etc/krb5kdc/kadm5.acl
>> key_stash_file = /etc/krb5kdc/service.keyfile
>> kdc_ports = 750,88
>> max_life = 10h 0m 0s
>> max_renewable_life = 7d 0h 0m 0s
>> master_key_type = des3-hmac-sha1
>> supported_enctypes = aes256-cts:normal arcfour-hmac:normal
>> des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
>> des:onlyrealm des:$
>> default_principal_flags = +preauth
>> }
>>
>>
>> ######################
>>
>> kadmin.local debug (strace). In pastebin because there are a lot of lines:
>> http://pastebin.com/h7fLYFKD
>>
>> Any idea?
>>
>> Best regards.
>>
>> --
>> /* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
>> /* Use debian gnu/linux! Best OS ever! */
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive:
>> [🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com">http://lists.debian.org/[🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com
>>
>
>
>
> --
> esta es mi vida e me la vivo hasta que dios quiera
Hi there!
That isn't the problem. It is in lower case because I used
find&replace to hide my domain, but in the original file is in upper
case.
Best regard.
--
/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */
Reply to: