[33092] in Kerberos
Kerberos+LDAP: kadmin.local and kadmin show different principals
daemon@ATHENA.MIT.EDU (Nick Triantos)
Thu Jan 13 00:36:36 2011
From: Nick Triantos <nick@triantos.com>
Date: Wed, 12 Jan 2011 21:18:34 -0800
Message-Id: <F5E490F2-C0D5-44D7-90A6-28B88C864E3B@triantos.com>
To: kerberos@mit.edu
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm trying to configure an Ubuntu system with MIT Kerberos (v1.8.1), with LDAP as the storage back-end (Sun OpenDS v2.2.1). I see a very odd behavior, where my host entries only show up when I list principals using 'kadmin.local', but not when I use 'kadmin'. From what I read, the two should behave identically if kadmin.local uses the same principal to connect.
Here's what I see from the two tools. Notice the "host/..." principal in the kadmin.local case.
root@hydrogen:/etc/krb5kdc# kadmin -p nick/admin
Authenticating as principal nick/admin with password.
Password for nick/admin@EXAMPLE.NET:
kadmin: list_principals
ben@EXAMPLE.NET
nick@EXAMPLE.NET
nick/admin@EXAMPLE.NET
K/M@EXAMPLE.NET
krbtgt/EXAMPLE.NET@EXAMPLE.NET
kadmin/admin@EXAMPLE.NET
kadmin/changepw@EXAMPLE.NET
kadmin/history@EXAMPLE.NET
kadmin/hydrogen@EXAMPLE.NET
kadmin: ^D
root@hydrogen:/etc/krb5kdc# kadmin.local -p nick/admin
Authenticating as principal nick/admin with password.
kadmin.local: list_principals
host/myhost.example.net@EXAMPLE.NET <=== Not listed above
ben@EXAMPLE.NET
nick@EXAMPLE.NET
nick/admin@EXAMPLE.NET
K/M@EXAMPLE.NET
krbtgt/EXAMPLE.NET@EXAMPLE.NET
kadmin/admin@EXAMPLE.NET
kadmin/changepw@EXAMPLE.NET
kadmin/history@EXAMPLE.NET
kadmin/hydrogen@EXAMPLE.NET
kadmin.local: ^D
When I look at the LDAP logs, the two commands behave quite differently. My realm has two search trees
root@hydrogen:/etc/krb5kdc# kdb5_ldap_util -D "cn=directory manager" view
Password for "cn=directory manager":
Realm Name: EXAMPLE.NET
Subtree: ou=computers,dc=example,dc=net
Subtree: ou=users,dc=example,dc=net
>From looking at the LDAP logs, it looks like kadmin never even queries the first subtree shown above.
Does kadmin expect different parameters to be set in krb5.conf than kadmin.local would? The man page implies the two behave very similarly.
Any advice welcome. I'm really pretty stumped, though I'm also a pretty novice Kerberos admin.
thanks,
-Nick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
