Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez
<cer.inet@linuxmail.org> ha scritto:
Hi there!
I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
I've followed the debian and ubuntu documentation and I find some
issues I can't solve:
· I fill the LDAP tree using the "kdb5_ldap_util" as seen in
documentation. The LDAP server is correctly written.
· The stash are created, with the neccesary credentials.
· When initializing the admin interface, with kadmin.local, i get:
kadmind[26023](Error): Can not fetch master key (error: Cannot
find/read stored master key). while initializing, aborting
The same when starting the service in /etc/init.d. In both cases, the
LDAP server is strongly readed:
krb5kdc: Can not fetch master key (error: Cannot find/read stored
master key). - while fetching master key K/M for realm EXAMPLE.ES
So, I think the options are:
1) In the LDAP server some information is missing (a bug in kdb5_ldap_util?)
2) There is something I don't understand in the procedure.
My config is:
##################
cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.ES
forwadable = true
proxiable = true
[realms]
EXAMPLE.ES = {
kdc = krb-krb.example.es
admin_server = krb-krb.example.es
default_domain = example.es
database_module = openldap_ldapconf
}
[domain_realm]
.example.es = example.ES
example.es = example.ES
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=es"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=es"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://krb-ldap.example.es
ldap_conns_per_server = 5
}
##################
cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
example.ES = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/service.keyfile
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:$
default_principal_flags = +preauth
}
######################
kadmin.local debug (strace). In pastebin because there are a lot of lines:
http://pastebin.com/h7fLYFKD
Any idea?
Best regards.
--
/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com" target="_blank">http://lists.debian.org/[🔎] CAPfcJauewO-OQPCLAgJi+o5e-Mcv7xYFXKoaQjDyD7Jrv_eV3Q@mail.gmail.com