[kerberos-discuss] host certificate renewal requires ldap client to be restarted

Tue, 28 Jul 2009 16:04:48 +0200 

Hi,

What i mean is the Kerberos ticket:

root at force:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/force.development01.tag.no at DEVELOPMENT01.TAG.NO

Valid starting                Expires                Service principal
07/28/09 14:49:35  07/28/09 15:49:35
krbtgt/DEVELOPMENT01.TAG.NO at DEVELOPMENT01.TAG.NO
        renew until 07/29/09 00:49:35
07/28/09 14:49:35  07/28/09 15:49:35
ldap/cd1.development01.tag.no at DEVELOPMENT01.TAG.NO
        renew until 07/29/09 00:49:35
07/28/09 14:49:39  07/28/09 15:49:35
ldap/cd2.development01.tag.no at DEVELOPMENT01.TAG.NO
        renew until 07/29/09 00:49:35

I have set the expire time for the ticket to be 1 hour so it speeds it up
(default in windows was 10).

When this ticket expires, no logons are possible, any at all, local accounts
or accounts in active directory, as the logon prompt hangs right after the
user name has been entered.

The ldap configuration is as follows:

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= CD1, CD2
NS_LDAP_SEARCH_BASEDN= dc=development01,dc=tag,dc=no
NS_LDAP_AUTH= sasl/GSSAPI
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= self
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,dc=development01,dc=tag,dc=no?sub
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=users,dc=development01,dc=tag,dc=no?sub
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group


Which also has another problem in it, the NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,dc=development01,dc=tag,dc=no?sub and the groups one) , I
want it to search all the directory so would like
NS_LDAP_SERVICE_SEARCH_DESC= passwd: dc=development01,dc=tag,dc=no?sub ,
that appears to cause the ldapclient to error, but thats something else to
look at after this first problem is resolved.

The NS_LDAP_SERVERS=   has been set using names and ip addresses both with
the same result.


> Do you mean realm or domain? Domain implies the KDC is Windows AD.

The KDC is a Windows AD, this is authenticating against a windows domain,
for a detailed look at the configuration I have, look at the pdf here:
http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp


> A valid krbtgt, or do you mean a valid service ticket for the host?

See above

> Are you running nscd? If not try running it. Without it, the client may
try and connect to the
> LDAP server as the user, rather then as root.

Nscd is running, but the user should attempt to connect as themself with the
above ldap configuration shouldn't they?


Thanks for your help

Reply via email to