[30074] in Kerberos
MIT kerberos + OpenLDAP backend
daemon@ATHENA.MIT.EDU (Matej Zagiba)
Thu Jul 3 15:22:27 2008
Message-ID: <486CC2BE.8080506@fmph.uniba.sk>
Date: Thu, 03 Jul 2008 14:14:54 +0200
From: Matej Zagiba <Matej.Zagiba@fmph.uniba.sk>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello everybody,
I'm trying to set up MIT kerberos with OpenLDAP backend. I found description of this functionality in
kerberos admin guide, and I followed provided instructions. But it not usable, I cannot create working
principal, assign policy or do kinit. Default principals like K/M works as expected.
I will appreciate any help.
System information:
Debian Etch
MIT kerberos 1.6.3 (compiled from debian testing packages)
OpenLDAP 2.4.10 (compiled from OpenLDAP sources)
action transcription follows:
builder:/etc/krb5kdc# kdb5_ldap_util -D cn=adm-service,o=kerberos
-H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi create -subtrees o=kerberos
-r TEST -s -sf /etc/krb5kdc/stash
Password for "cn=adm-service,o=kerberos":
Initializing database for realm 'TEST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user1"
Authenticating as principal root/admin@TEST with password.
WARNING: no policy specified for user1@TEST; defaulting to no policy
Principal "user1@TEST" created.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/admin@TEST with password.
K/M@TEST
krbtgt/TEST@TEST
kadmin/admin@TEST
kadmin/changepw@TEST
kadmin/history@TEST
kadmin/builder@TEST
user1@TEST
builder:/etc/krb5kdc# kadmin.local -q "getprinc user1"
Authenticating as principal root/admin@TEST with password.
Segmentation fault
builder:/etc/krb5kdc# kadmin.local -q "add_policy -maxlife 180day default"
Authenticating as principal root/admin@TEST with password.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/admin@TEST with password.
K/M@TEST
krbtgt/TEST@TEST
kadmin/admin@TEST
kadmin/changepw@TEST
kadmin/history@TEST
kadmin/builder@TEST
user1@TEST
builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user2"
Authenticating as principal root/admin@TEST with password.
NOTICE: no policy specified for user2@TEST; assigning "default"
Principal "user2@TEST" created.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/admin@TEST with password.
get_principals: Invalid argument while retrieving list.
builder:/etc/krb5kdc# kadmin.local -q "getprinc user2"
Authenticating as principal root/admin@TEST with password.
get_principal: Invalid argument while retrieving "user2@TEST".
builder:/etc/krb5kdc# kadmin.local -q "getprinc user1"
Authenticating as principal root/admin@TEST with password.
Segmentation fault
builder:/etc/krb5kdc# kadmin.local -q "getprinc K/M"
Authenticating as principal root/admin@TEST with password.
Principal: K/M@TEST
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 03 13:37:44 CEST 2008 (db_creation@TEST)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: DISALLOW_ALL_TIX REQUIRES_PRE_AUTH
Policy: [none]
builder:/etc/krb5kdc# /etc/init.d/krb5-kdc start
builder:/etc/krb5kdc# kinit user1
Password for user1@TEST:
builder:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1@TEST
Valid starting Expires Service principal
07/03/08 13:55:37 07/03/08 23:55:37 krbtgt/TEST@TEST
renew until 07/04/08 13:55:34
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
builder:/etc/krb5kdc# kdestroy
builder:/etc/krb5kdc# kinit user2
kinit(v5): Generic error (see e-text) while getting initial credentials
and here is log message:
Jul 03 13:55:58 builder krb5kdc[7486](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 158.195.31.111: LOOKING_UP_CLIENT: user2@TEST for krbtgt/TEST@TEST, Invalid argument
--
Matej Zagiba
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
