Re: Problem with Kerberos5 using LDAP backend

To: emmanuel segura <emi2fast@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: Problem with Kerberos5 using LDAP backend
From: Arturo Borrero Gonzalez <cer.inet@linuxmail.org>
Date: Tue, 6 Mar 2012 16:15:50 +0100
Message-id: <[🔎] CAPfcJat3yznMwmCf1dUcJ0f_HFvd_0Pr=rcStixVnm56TgMX7w@mail.gmail.com>
In-reply-to: <[🔎] CAE7pJ3C0gchnT8r-rmC2snd5w2x5NK_t7nrMtyx1r3zRcV2s=w@mail.gmail.com>
References: <[🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com> <[🔎] CAE7pJ3C0gchnT8r-rmC2snd5w2x5NK_t7nrMtyx1r3zRcV2s=w@mail.gmail.com>

2012/3/6 emmanuel segura <emi2fast@gmail.com>:
> try to change
> ==========================
>
> [domain_realm]
>        .example.es = example.ES
>        example.es = example.ES
> ==========================
> to
> ==========================
> [domain_realm]
>        .example.es = EXAMPLE.ES
>        example.es = EXAMPLE.ES
>
>
> Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez
> <cer.inet@linuxmail.org> ha scritto:
>>
>> Hi there!
>>
>> I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
>> I've followed the debian and ubuntu documentation and I find some
>> issues I can't solve:
>>
>> · I fill the LDAP tree using the "kdb5_ldap_util" as seen in
>> documentation. The LDAP server is correctly written.
>> · The stash are created, with the neccesary credentials.
>> · When initializing the admin interface, with kadmin.local, i get:
>>
>> kadmind[26023](Error): Can not fetch master key (error: Cannot
>> find/read stored master key). while initializing, aborting
>>
>> The same when starting the service in /etc/init.d. In both cases, the
>> LDAP server is strongly readed:
>>
>> krb5kdc: Can not fetch master key (error: Cannot find/read stored
>> master key). - while fetching master key K/M for realm EXAMPLE.ES
>>
>> So, I think the options are:
>> 1) In the LDAP server some information is missing (a bug in
>> kdb5_ldap_util?)
>> 2) There is something I don't understand in the procedure.
>>
>> My config is:
>>
>> ##################
>> cat /etc/krb5.conf
>>
>> [libdefaults]
>>        default_realm = EXAMPLE.ES
>>        forwadable = true
>>        proxiable = true
>>
>> [realms]
>>
>>        EXAMPLE.ES = {
>>                kdc = krb-krb.example.es
>>                admin_server = krb-krb.example.es
>>                default_domain = example.es
>>                database_module = openldap_ldapconf
>>        }
>>
>> [domain_realm]
>>        .example.es = example.ES
>>        example.es = example.ES
>>
>> [login]
>>        krb4_convert = true
>>        krb4_get_tickets = false
>>
>> [logging]
>>        kdc = FILE:/var/log/kerberos/krb5kdc.log
>>        admin_server = FILE:/var/log/kerberos/kadmin.log
>>        default = FILE:/var/log/kerberos/krb5lib.log
>>
>> [dbdefaults]
>>        ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es
>>
>> [dbmodules]
>>        openldap_ldapconf = {
>>                db_library = kldap
>>                ldap_kdc_dn = "cn=admin,dc=example,dc=es"
>>
>>                # this object needs to have read rights on
>>                # the realm container, principal container and realm
>> sub-trees
>>                ldap_kadmind_dn = "cn=admin,dc=example,dc=es"
>>
>>                # this object needs to have read and write rights on
>>                # the realm container, principal container and realm
>> sub-trees
>>                ldap_service_password_file = /etc/krb5kdc/service.keyfile
>>                ldap_servers = ldap://krb-ldap.example.es
>>                ldap_conns_per_server = 5
>>        }
>>
>> ##################
>>
>> cat /etc/krb5kdc/kdc.conf
>>
>> [kdcdefaults]
>>    kdc_ports = 750,88
>>
>> [realms]
>>    example.ES = {
>>        database_name = /var/lib/krb5kdc/principal
>>        acl_file = /etc/krb5kdc/kadm5.acl
>>        key_stash_file = /etc/krb5kdc/service.keyfile
>>        kdc_ports = 750,88
>>        max_life = 10h 0m 0s
>>        max_renewable_life = 7d 0h 0m 0s
>>        master_key_type = des3-hmac-sha1
>>        supported_enctypes = aes256-cts:normal arcfour-hmac:normal
>> des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
>> des:onlyrealm des:$
>>        default_principal_flags = +preauth
>>    }
>>
>>
>> ######################
>>
>> kadmin.local debug (strace). In pastebin because there are a lot of lines:
>> http://pastebin.com/h7fLYFKD
>>
>> Any idea?
>>
>> Best regards.
>>
>> --
>> /* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
>> /* Use debian gnu/linux! Best OS ever! */
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive:
>> [🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com">http://lists.debian.org/[🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com
>>
>
>
>
> --
> esta es mi vida e me la vivo hasta que dios quiera

Hi there!

That isn't the problem. It is in lower case because I used
find&replace to hide my domain, but in the original file is in upper
case.

Best regard.

-- 
/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */

Reply to:

References:
- Problem with Kerberos5 using LDAP backend
  - From: Arturo Borrero Gonzalez <cer.inet@linuxmail.org>
- Re: Problem with Kerberos5 using LDAP backend
  - From: emmanuel segura <emi2fast@gmail.com>

Prev by Date: Re: [OT] Sorry for spam.
Next by Date: Re: Problem with resolution 1366x768.
Previous by thread: Re: Problem with Kerberos5 using LDAP backend
Next by thread: [OT] Sorry for spam.
Index(es):
- Date
- Thread