[32432] in Kerberos
Setting up slave KDC when realm info is in LDAP (initially created
daemon@ATHENA.MIT.EDU (Holger Rauch)
Sat Jun 5 13:43:59 2010
Date: Sat, 5 Jun 2010 19:43:52 +0200
From: Holger Rauch <holger.rauch@empic.de>
To: kerberos@mit.edu
Message-ID: <20100605174352.GA28015@heitec.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0769669505=="
Errors-To: kerberos-bounces@mit.edu
--===============0769669505==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua"
Content-Disposition: inline
--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
I'm using Debian Lenny with the standard MIT Kerberos and OpenLDAP
packages. So far, I've managed to setup up OpenLDAP delta syncrepl (so
I shouldn't need the kpropd (slave KDC)/kprop (master KDC) combo).
I googled about KDC slave setups but unfortunately didn't come accross
any HOWTO for LDAP related setups, only BDB ones.
I've copied the /etc/krb5.conf file of the master server
(/etc/krb5kdc/kdc.conf is a symlink pointing to /etc/krb5.conf since
that file contains all relevant entries). Furthermore,
kdchost2.our.domain runs the slave slapd and kdchost1.our.domain runs
the master slapd server.
When I try to start the slave KDC on host kdchost2.our.domain, I see
this error message in /var/log/kerberos/krb5kdc.log, even though I
copied the service.keyfile from the master KDC:
krb5kdc: Cannot find/read stored master key - while fetching master
key K/M for realm OUR.DOMAIN
It's not obvious to me why I'm getting this error message.
My /etc/krb5.conf file on the KDC slave host (named kdc.host2 in the
config below) looks like this (Both master KDC and admin server are
running on host kdchost1.our.domain; for the reasons of simplicity I
used the LDAP admin account for both kdc and kadmind dn since it's not
a publicly accessible network):
=3D=3D=3D
[kdcdefaults]=20
kdc_ports =3D 750,88
[libdefaults]
default_realm =3D OUR.DOMAIN
# dns_lookup_realm =3D true
# dns_lookup_kdc =3D true
passwd_check_s_address =3D false
use_tcp_only =3D true
ccache_type =3D 3
forwardable =3D true
=09
[appdefaults]
pam =3D {
debug =3D true
ticket_lifetime =3D 57600
renew_lifetime =3D 57600
forwardable =3D true
krb4_convert =3D false
}
kinit =3D {
ticket_lifetime =3D 57600
renew_lifetime =3D 57600
forwardable =3D true
}
pam-afs-session =3D {
aklog_homedir =3D true
minimum_uid =3D 10000
}
=09
[realms]
OUR.DOMAIN =3D {
database_name =3D ldap:ou=3Dkrb5,ou=3Dorg1,dc=3Dourou,dc=3Dourcomp
kdc =3D kdchost1.our.domain
kdc =3D kdchost2.our.domain
admin_server =3D kdchost1.our.domain
acl_file =3D /etc/krb5kdc/kadm5.acl
database_module =3D openldap_ldapconf
default_domain =3D our.domain
max_life =3D 16h 0m 0s
max_renewable_life =3D 7d 0h 0m 0s
default_principal_flags =3D +preauth
}
OUR.OTHER.DOMAIN =3D {
database_name =3D ldap:ou=3Dkrb5,ou=3Dorg1,dc=3Dourou,dc=3Dourcomp
kdc =3D kdchost1.our.other.domain
kdc =3D kdchost2.our.other.domain
admin_server =3D kdchost1.our.other.domain
acl_file =3D /etc/krb5kdc/kadm5.acl
database_module =3D openldap_ldapconf
default_domain =3D our.other.domain
max_life =3D 16h 0m 0s
max_renewable_life =3D 7d 0h 0m 0s
default_principal_flags =3D +preauth
}
[domain_realm]
=2Eour.domain =3D OUR.DOMAIN
our.domain =3D OUR.DOMAIN
=2Esubdom.our.domain =3D OUR.DOMAIN
subdom.our.domain =3D OUR.DOMAIN
#.our.other.domain =3D OUR.OTHER.DOMAIN
#our.other.domain =3D OUR.OTHER.DOMAIN
[login]
krb4_convert =3D true
krb4_get_tickets =3D false
[kdc]
database =3D {
dbname =3D ldap:ou=3Dkrb5,ou=3Dorg1,dc=3Dourou,dc=3Dourcomp
}
[dbdefaults]
ldap_kerberos_container_dn =3D dc=3Dourou,dc=3Dourcomp
database_module =3D openldap_ldapconf
[dbmodules]
openldap_ldapconf =3D {
db_library =3D kldap
ldap_kerberos_container_dn =3D ou=3Dkrb5,ou=3Dorg1,dc=3Dourou,dc=3Dourcomp
ldap_kdc_dn =3D "cn=3Dadmin,dc=3Dourou,dc=3Dourcomp"
ldap_kadmind_dn =3D "cn=3Dadmin,dc=3Dourou,dc=3Dourcomp"
ldap_service_password_file =3D /etc/krb5kdc/service.keyfile
ldap_servers =3D ldap://kdchost2.our.domain
ldap_conns_per_server =3D 5
}
[logging]
kdc =3D FILE:/var/log/kerberos/krb5kdc.log
default =3D FILE:/var/log/kerberos/krb5lib.log
=3D=3D=3D
Any help will be greatly appreciated.
Thanks in advance & kind regards,
Holger
=20
--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwKjNgACgkQbiVtWpZdKQK8lACdEsrutp/rOxYaY06yaN3QuWvw
gmUAoIV+pvf5QxOEfJ/9OIj6ko1EZzzS
=5zKF
-----END PGP SIGNATURE-----
--SUOF0GtieIMvvwua--
--===============0769669505==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0769669505==--
