[37768] in Kerberos
Re: kdb5_ldap_util fails, no idea why
daemon@ATHENA.MIT.EDU (t Seeger)
Tue Nov 8 08:01:44 2016
Mime-Version: 1.0 (1.0)
From: t Seeger <tseegerkrb@gmail.com>
In-Reply-To: <c3bf4ef8-f7e3-d205-b06f-32c1d8f7cb89@lhanke.de>
Date: Tue, 8 Nov 2016 14:00:53 +0100
Message-Id: <E1D9248A-10E1-4E8E-8F25-186673059CAE@gmail.com>
To: debian@lhanke.de
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
You can add the principals under the users cn this is possible too. You just need to specify the dn of the user, while adding it.
For GSSAPI I use the olcAuthzRegexp to transfer to the ldap objects. My userPassword attribute looks like: {SASL}username@REALM.
-Thorsten
Von meinem iPhone gesendet
> Am 08.11.2016 um 13:34 schrieb Dr. Lars Hanke <debian@lhanke.de>:
>
> ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de made it succeed.This is however not mentioned in the HOWTO.From the documentation of -subtree I thought that the Principals would somehow be stored with the User and Machine entries, i.e. not in a seperate tree. So the idea for GSSAPI binding of users or machines will be to use authz?
>
> Thanks for the help,
> - lars.
>
>> Am 08.11.2016 um 08:58 schrieb t Seeger:
>> Hello,
>>
>> did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
>>
>>
>> [dbmodules]
>> LDAP = {
>> db_library = kldap
>> ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de
>> ....
>> }
>>
>> - Thorsten
>>
>> Von meinem iPhone gesendet
>>
>>>> Am 07.11.2016 um 17:14 schrieb Dr. Lars Hanke <debian@lhanke.de>:
>>>>
>>>> Am 07.11.2016 um 15:06 schrieb Todd Grayson:
>>>> From that error message you need to provide the schema file for the
>>>> kerebros ldap objects to your directory instance. Can we assume you
>>>> followed top down the instructions from here?
>>>>
>>>> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
>>> Yes, this is my main source. It seems I have the schema on my LDAP:
>>>
>>> ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
>>> SASL/EXTERNAL authentication started
>>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>> SASL SSF: 0
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=schema,cn=config> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: dn
>>> #
>>>
>>> # schema, config
>>> dn: cn=schema,cn=config
>>>
>>> # {0}core, schema, config
>>> dn: cn={0}core,cn=schema,cn=config
>>>
>>> # {1}cosine, schema, config
>>> dn: cn={1}cosine,cn=schema,cn=config
>>>
>>> # {2}nis, schema, config
>>> dn: cn={2}nis,cn=schema,cn=config
>>>
>>> # {3}inetorgperson, schema, config
>>> dn: cn={3}inetorgperson,cn=schema,cn=config
>>>
>>> # {4}samba, schema, config
>>> dn: cn={4}samba,cn=schema,cn=config
>>>
>>> # {5}kerberos, schema, config
>>> dn: cn={5}kerberos,cn=schema,cn=config
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 8
>>> # numEntries: 7
>>>
>>> I admit that I did not understand why in that Howto many more schemas
>>> were included to produce the LDIF for the Kerberos schema, but at least
>>> OpenLDAP did accept it.
>>>
>>> Thanks,
>>> - lars.
>>>>
>>>>
>>>> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <debian@lhanke.de
>>>> <mailto:debian@lhanke.de>> wrote:
>>>>
>>>> I'm currently setting up a new KDC for a new domain. I also have a
>>>> shiny
>>>> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>>>> fine, there is no specific data in it yet.
>>>>
>>>> Trying to create the Kerberos container, I get the following error:
>>>>
>>>> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>>>> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
>>>> -s -H ldap:///
>>>> Password for "cn=admin,dc=microsult,dc=de":
>>>> Initializing database for realm 'UAC.MICROSULT.DE
>>>> <http://UAC.MICROSULT.DE>'
>>>> You will be prompted for the database Master Password.
>>>> It is important that you NOT FORGET this password.
>>>> Enter KDC database master key:
>>>> Re-enter KDC database master key to verify:
>>>> kdb5_ldap_util: Kerberos Container create FAILED: Object class
>>>> violation
>>>> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
>>>>
>>>> I read somewhere that this may be due to the kerberos container not
>>>> being a CN attribute. Actually I see in the debug trace of
>>>> OpenLDAP that
>>>> it denies dc=microsult,dc=de since it's not a CN.
>>>>
>>>> Am I supposed to create a CN node under my TLD and use this? I don't
>>>> quite understand how the final layout in LDAP is supposed to be
>>>> and how
>>>> to put that into arguments for kdb5_ldap_util.
>>>>
>>>> Any closer explanation is appreciated. Thanks for your help,
>>>>
>>>> - lars.
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu>
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>> <https://mailman.mit.edu/mailman/listinfo/kerberos>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Todd Grayson
>>>> Business Operations Manager
>>>> Customer Operations Engineering
>>>> Security SME
>>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
