Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
kdb5_ldap_util fails, no idea why
235 views
Skip to first unread message
Dr. Lars Hanke
Nov 5, 2016, 5:03:23 PM11/5/16
to kerb...@mit.edu
I'm currently setting up a new KDC for a new domain. I also have a shiny
new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
fine, there is no specific data in it yet.
Trying to create the Kerberos container, I get the following error:
kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
Password for "cn=admin,dc=microsult,dc=de":
Initializing database for realm 'UAC.MICROSULT.DE'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
while creating realm 'UAC.MICROSULT.DE'
I read somewhere that this may be due to the kerberos container not
being a CN attribute. Actually I see in the debug trace of OpenLDAP that
it denies dc=microsult,dc=de since it's not a CN.
Am I supposed to create a CN node under my TLD and use this? I don't
quite understand how the final layout in LDAP is supposed to be and how
to put that into arguments for kdb5_ldap_util.
Any closer explanation is appreciated. Thanks for your help,
- lars.
new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
fine, there is no specific data in it yet.
Trying to create the Kerberos container, I get the following error:
kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
Password for "cn=admin,dc=microsult,dc=de":
Initializing database for realm 'UAC.MICROSULT.DE'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
while creating realm 'UAC.MICROSULT.DE'
I read somewhere that this may be due to the kerberos container not
being a CN attribute. Actually I see in the debug trace of OpenLDAP that
it denies dc=microsult,dc=de since it's not a CN.
Am I supposed to create a CN node under my TLD and use this? I don't
quite understand how the final layout in LDAP is supposed to be and how
to put that into arguments for kdb5_ldap_util.
Any closer explanation is appreciated. Thanks for your help,
- lars.
t Seeger
Nov 6, 2016, 5:25:24 AM11/6/16
to deb...@lhanke.de, kerb...@mit.edu
Hello,
I made a installer script to setup a Kerberos server with ldap backend. It is for ubuntu or debian only. The script is not perfect and for testing, but should guide you in the right direction. You can find it under: https://wp.tntnet.eu/?p=112
Thorsten
Von meinem iPhone gesendet
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
I made a installer script to setup a Kerberos server with ldap backend. It is for ubuntu or debian only. The script is not perfect and for testing, but should guide you in the right direction. You can find it under: https://wp.tntnet.eu/?p=112
Thorsten
Von meinem iPhone gesendet
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Dr. Lars Hanke
Nov 7, 2016, 8:47:41 AM11/7/16
to t Seeger, kerb...@mit.edu
I had a brief look at the scripts - well, the idea to understand the
relevant parts and reproduce on my own seems laborous at least. I guess
I'll set up a VM, install your system and try to understand, what it did.
Thank you,
- lars.
Am 06.11.2016 um 11:25 schrieb t Seeger:
> Hello,
>
> I made a installer script to setup a Kerberos server with ldap
> backend. It is for ubuntu or debian only. The script is not perfect
> and for testing, but should guide you in the right direction. You can
> find it under: https://wp.tntnet.eu/?p=112
>
> Thorsten
>
> Von meinem iPhone gesendet
>
> Am 05.11.2016 um 22:03 schrieb Dr. Lars Hanke <deb...@lhanke.de
> <mailto:deb...@lhanke.de>>:
>> https://mailman.mit.edu/mailman/listinfo/kerberos
relevant parts and reproduce on my own seems laborous at least. I guess
I'll set up a VM, install your system and try to understand, what it did.
Thank you,
- lars.
Am 06.11.2016 um 11:25 schrieb t Seeger:
> Hello,
>
> I made a installer script to setup a Kerberos server with ldap
> backend. It is for ubuntu or debian only. The script is not perfect
> and for testing, but should guide you in the right direction. You can
> find it under: https://wp.tntnet.eu/?p=112
>
> Thorsten
>
> Von meinem iPhone gesendet
>
> Am 05.11.2016 um 22:03 schrieb Dr. Lars Hanke <deb...@lhanke.de
>
>> I'm currently setting up a new KDC for a new domain. I also have a shiny
>> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>> fine, there is no specific data in it yet.
>>
>> Trying to create the Kerberos container, I get the following error:
>>
>> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>> dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
>> Password for "cn=admin,dc=microsult,dc=de":
>> Initializing database for realm 'UAC.MICROSULT.DE'
>> You will be prompted for the database Master Password.
>> It is important that you NOT FORGET this password.
>> Enter KDC database master key:
>> Re-enter KDC database master key to verify:
>> kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
>> while creating realm 'UAC.MICROSULT.DE'
>>
>> I read somewhere that this may be due to the kerberos container not
>> being a CN attribute. Actually I see in the debug trace of OpenLDAP that
>> it denies dc=microsult,dc=de since it's not a CN.
>>
>> Am I supposed to create a CN node under my TLD and use this? I don't
>> quite understand how the final layout in LDAP is supposed to be and how
>> to put that into arguments for kdb5_ldap_util.
>>
>> Any closer explanation is appreciated. Thanks for your help,
>>
>> - lars.
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu <mailto:Kerb...@mit.edu>
>> I'm currently setting up a new KDC for a new domain. I also have a shiny
>> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
>> fine, there is no specific data in it yet.
>>
>> Trying to create the Kerberos container, I get the following error:
>>
>> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
>> dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
>> Password for "cn=admin,dc=microsult,dc=de":
>> Initializing database for realm 'UAC.MICROSULT.DE'
>> You will be prompted for the database Master Password.
>> It is important that you NOT FORGET this password.
>> Enter KDC database master key:
>> Re-enter KDC database master key to verify:
>> kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
>> while creating realm 'UAC.MICROSULT.DE'
>>
>> I read somewhere that this may be due to the kerberos container not
>> being a CN attribute. Actually I see in the debug trace of OpenLDAP that
>> it denies dc=microsult,dc=de since it's not a CN.
>>
>> Am I supposed to create a CN node under my TLD and use this? I don't
>> quite understand how the final layout in LDAP is supposed to be and how
>> to put that into arguments for kdb5_ldap_util.
>>
>> Any closer explanation is appreciated. Thanks for your help,
>>
>> - lars.
>>
>>
>> ________________________________________________
>> https://mailman.mit.edu/mailman/listinfo/kerberos
Todd Grayson
Nov 7, 2016, 9:07:03 AM11/7/16
to deb...@lhanke.de, kerb...@mit.edu
>From that error message you need to provide the schema file for the
kerebros ldap objects to your directory instance. Can we assume you
followed top down the instructions from here?
https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
kerebros ldap objects to your directory instance. Can we assume you
followed top down the instructions from here?
https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Dr. Lars Hanke
Nov 7, 2016, 11:14:20 AM11/7/16
to Todd Grayson, kerb...@mit.edu
Am 07.11.2016 um 15:06 schrieb Todd Grayson:
> From that error message you need to provide the schema file for the
> kerebros ldap objects to your directory instance. Can we assume you
> followed top down the instructions from here?
>
> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
Yes, this is my main source. It seems I have the schema on my LDAP:
> From that error message you need to provide the schema file for the
> kerebros ldap objects to your directory instance. Can we assume you
> followed top down the instructions from here?
>
> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=schema,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: dn
#
# schema, config
dn: cn=schema,cn=config
# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config
# {1}cosine, schema, config
dn: cn={1}cosine,cn=schema,cn=config
# {2}nis, schema, config
dn: cn={2}nis,cn=schema,cn=config
# {3}inetorgperson, schema, config
dn: cn={3}inetorgperson,cn=schema,cn=config
# {4}samba, schema, config
dn: cn={4}samba,cn=schema,cn=config
# {5}kerberos, schema, config
dn: cn={5}kerberos,cn=schema,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 8
# numEntries: 7
I admit that I did not understand why in that Howto many more schemas
were included to produce the LDIF for the Kerberos schema, but at least
OpenLDAP did accept it.
Thanks,
- lars.
>
>
>
> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <deb...@lhanke.de
> <mailto:deb...@lhanke.de>> wrote:
>
> I'm currently setting up a new KDC for a new domain. I also have a
> shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>
>
>
> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <deb...@lhanke.de
> <mailto:deb...@lhanke.de>> wrote:
>
> I'm currently setting up a new KDC for a new domain. I also have a
> shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> -s -H ldap:///
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE
> <http://UAC.MICROSULT.DE>'
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class
> violation
> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>'
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class
> violation
>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of
> OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be
> and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu <mailto:Kerb...@mit.edu>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of
> OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be
> and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ________________________________________________
> https://mailman.mit.edu/mailman/listinfo/kerberos
t Seeger
Nov 8, 2016, 2:58:48 AM11/8/16
to deb...@lhanke.de, kerb...@mit.edu
Hello,
did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
[dbmodules]
LDAP = {
db_library = kldap
ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de
....
}
- Thorsten
Von meinem iPhone gesendet
> https://mailman.mit.edu/mailman/listinfo/kerberos
did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
[dbmodules]
LDAP = {
db_library = kldap
ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de
....
}
- Thorsten
Von meinem iPhone gesendet
Dr. Lars Hanke
Nov 8, 2016, 7:34:49 AM11/8/16
to t Seeger, kerb...@mit.edu
ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de made it succeed.This is however not mentioned in the HOWTO.From the documentation of -subtree I thought that the Principals would somehow be stored with the User and Machine entries, i.e. not in a seperate tree. So the idea for GSSAPI binding of users or machines will be to use authz?
Thanks for the help,
- lars.
Thanks for the help,
- lars.
t Seeger
Nov 8, 2016, 8:00:59 AM11/8/16
to deb...@lhanke.de, kerb...@mit.edu
Hello,
You can add the principals under the users cn this is possible too. You just need to specify the dn of the user, while adding it.
For GSSAPI I use the olcAuthzRegexp to transfer to the ldap objects. My userPassword attribute looks like: {SASL}username@REALM.
-Thorsten
Von meinem iPhone gesendet
You can add the principals under the users cn this is possible too. You just need to specify the dn of the user, while adding it.
For GSSAPI I use the olcAuthzRegexp to transfer to the ldap objects. My userPassword attribute looks like: {SASL}username@REALM.
-Thorsten
Von meinem iPhone gesendet
t Seeger
Nov 8, 2016, 1:28:34 PM11/8/16
to deb...@lhanke.de, kerb...@mit.edu
Hello Lars,
I corrected a little bug in my script so please use the new version https://wp.tntnet.eu/?p=112 . The bug is only a problem in a multimaster setup, cause the keytab is not updated correctly.
- Thorsten
Von meinem iPhone gesendet
I corrected a little bug in my script so please use the new version https://wp.tntnet.eu/?p=112 . The bug is only a problem in a multimaster setup, cause the keytab is not updated correctly.
- Thorsten
Von meinem iPhone gesendet
0 new messages