[37762] in Kerberos
Re: kdb5_ldap_util fails, no idea why
daemon@ATHENA.MIT.EDU (Dr. Lars Hanke)
Mon Nov 7 11:14:33 2016
To: Todd Grayson <tgrayson@cloudera.com>
From: "Dr. Lars Hanke" <debian@lhanke.de>
Message-ID: <49d359a2-656a-7ec1-9adc-ae4d4e6c6b4f@lhanke.de>
Date: Mon, 7 Nov 2016 17:14:02 +0100
MIME-Version: 1.0
In-Reply-To: <CALNT6MV=RNFbCrQ-O69hy29wJ-qm0i3jrr+dTeRjMkZjCXTWow@mail.gmail.com>
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Reply-To: debian@lhanke.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Am 07.11.2016 um 15:06 schrieb Todd Grayson:
> From that error message you need to provide the schema file for the
> kerebros ldap objects to your directory instance. Can we assume you
> followed top down the instructions from here?
>
> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
Yes, this is my main source. It seems I have the schema on my LDAP:
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=schema,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: dn
#
# schema, config
dn: cn=schema,cn=config
# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config
# {1}cosine, schema, config
dn: cn={1}cosine,cn=schema,cn=config
# {2}nis, schema, config
dn: cn={2}nis,cn=schema,cn=config
# {3}inetorgperson, schema, config
dn: cn={3}inetorgperson,cn=schema,cn=config
# {4}samba, schema, config
dn: cn={4}samba,cn=schema,cn=config
# {5}kerberos, schema, config
dn: cn={5}kerberos,cn=schema,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 7
I admit that I did not understand why in that Howto many more schemas
were included to produce the LDIF for the Kerberos schema, but at least
OpenLDAP did accept it.
Thanks,
- lars.
>
>
>
> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian@lhanke.de
> <mailto:debian@lhanke.de>> wrote:
>
> I'm currently setting up a new KDC for a new domain. I also have a
> shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
> -s -H ldap:///
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE
> <http://UAC.MICROSULT.DE>'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class
> violation
> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of
> OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be
> and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu>
> https://mailman.mit.edu/mailman/listinfo/kerberos
> <https://mailman.mit.edu/mailman/listinfo/kerberos>
>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
