[37761] in Kerberos
Re: kdb5_ldap_util fails, no idea why
daemon@ATHENA.MIT.EDU (Todd Grayson)
Mon Nov 7 09:07:22 2016
MIME-Version: 1.0
In-Reply-To: <b1f7e7c1-3bd8-5103-2592-fc5d15d303b0@lhanke.de>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Mon, 7 Nov 2016 07:06:38 -0700
Message-ID: <CALNT6MV=RNFbCrQ-O69hy29wJ-qm0i3jrr+dTeRjMkZjCXTWow@mail.gmail.com>
To: debian@lhanke.de
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>From that error message you need to provide the schema file for the
kerebros ldap objects to your directory instance. Can we assume you
followed top down the instructions from here?
https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian@lhanke.de> wrote:
> I'm currently setting up a new KDC for a new domain. I also have a shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
> while creating realm 'UAC.MICROSULT.DE'
>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos