Re: create principals fails
Greg Hudson
> i could create the subtree in the dit. But when i try to create
> principals with kadmin, it fails.
Can you show a transcript of the command and error message it fails
with?
"kai plückhahn"
But i think, i have to offer you some further information.
the kerberos authentication works befor i wanted openldap as back-end. then i wanted to switch to openldap-backend without setting up a clear system...
...
the subtree is ok. <-- in the DIT.
the conf-files are ok. i hope so!
slapd.conf modified for kerberos. i think this is not the problem, too.
stashpw generated. <-- file is there with both pws.
-no service is started-
Now i want to create with the command
kadmin.local
a root-user.
But it fails with
Authenticating as principal root/admin@LOCAL with password.
kadmin.local: Server error while initializing kadmin.local interface
when i now switch the krb5.conf to the old one i can start kadmin.local and i can start the services. but when i try now to start kadmin interface is there no root(admin)-user in the dit with which i can authenticate.
i don�t know, what the problem could be...:(
-------- Original-Nachricht --------
> Datum: Mon, 23 Nov 2009 14:20:24 +0100
> Von: "kai pl�ckhahn" <derp...@gmx.de>
> An: kerb...@mit.edu
> Betreff: create principals fails
> i often read this question. but never seen an answer.
> i want to have openldap as a backend to kerberos.
> - kerberos 5
> - openldap 2.4
>
> i could create the subtree in the dit. But when i try to create principals
> with kadmin, it fails.
> My first step was, that i created the conf files...kdc.conf and
> krb5.conf.After this i created with the kdb5_ldap_util the subtree and the stash-pws.
> But then...to create principals with kadmin or kadmin.local fails.
> In my book there is a note, that i have to create first of all a local
> database with kdb5_util create -s to use the kadmin.local interface without
> problems...
>
> How a have to create the principals, is there a trick?
>
> I don�t know. Please help me.
> --
> GRATIS f�r alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
Greg Hudson
> kadmin.local: Server error while initializing kadmin.local interface
Unfortunately, as noted in previous threads
(http://mailman.mit.edu/pipermail/kerberos/2009-August/015187.html) the
KDC LDAP code is generating a much more informative error message, but
it isn't printed due to a problem with contexts. That problem is fixed
for 1.8, but that doesn't help you right now.
One workaround is to make a debugging build of the krb5 sources and step
through the process with a debugger. This is painful and laborious,
though. Another option is to run kadmin.local under a system call
tracing tool like strace (Linux) or truss (Solaris) to see what system
interactions kadmin.local made shortly before printing the error
message, but that doesn't always yield helpful information.
The most common problem I've seen with using the KDC LDAP back end is in
setting up the stash file containing the LDAP passwords for the DNs used
by the KDC and kadmind. This filename is specified with the variable
ldap_service_password_file inside the database settings. If you created
it correctly, it should look like:
cn=admin,dc=directorate,dc=org#{HEX}abcde12345
where the DNs on the left should match the DNs specified in the
ldap_kdc_dn and ldap_kadmind_dn variables. You say that the file is
there with both passwords, but you might want to double check.
There is a different file which holds the KDB master password. This
filename is specified with the variable key_stash_file inside the realm
settings, and should point to a different filename. It should contain
binary data. Make sure this is separate from your LDAP password stash.