Hello everybody,
I'm trying to set up MIT kerberos with OpenLDAP backend. I found description
of this functionality in
kerberos admin guide, and I followed provided instructions. But it not usable,
I cannot create working
principal, assign policy or do kinit. Default principals like K/M works as
expected.
I will appreciate any help.
System information:
Debian Etch
MIT kerberos 1.6.3 (compiled from debian testing packages)
OpenLDAP 2.4.10 (compiled from OpenLDAP sources)
action transcription follows:
builder:/etc/krb5kdc# kdb5_ldap_util -D cn=adm-service,o=kerberos
-H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi create -subtrees o=kerberos
-r TEST -s -sf /etc/krb5kdc/stash
Password for "cn=adm-service,o=kerberos":
Initializing database for realm 'TEST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user1"
Authenticating as principal root/[EMAIL PROTECTED] with password.
WARNING: no policy specified for [EMAIL PROTECTED]; defaulting to no
policy
Principal "[EMAIL PROTECTED]" created.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/[EMAIL PROTECTED] with password.
K/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
[EMAIL PROTECTED]
builder:/etc/krb5kdc# kadmin.local -q "getprinc user1"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Segmentation fault
builder:/etc/krb5kdc# kadmin.local -q "add_policy -maxlife 180day default"
Authenticating as principal root/[EMAIL PROTECTED] with password.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/[EMAIL PROTECTED] with password.
K/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
[EMAIL PROTECTED]
builder:/etc/krb5kdc# kadmin.local -q "ank -pw 123456 user2"
Authenticating as principal root/[EMAIL PROTECTED] with password.
NOTICE: no policy specified for [EMAIL PROTECTED]; assigning "default"
Principal "[EMAIL PROTECTED]" created.
builder:/etc/krb5kdc# kadmin.local -q "getprincs *"
Authenticating as principal root/[EMAIL PROTECTED] with password.
get_principals: Invalid argument while retrieving list.
builder:/etc/krb5kdc# kadmin.local -q "getprinc user2"
Authenticating as principal root/[EMAIL PROTECTED] with password.
get_principal: Invalid argument while retrieving "[EMAIL PROTECTED]".
builder:/etc/krb5kdc# kadmin.local -q "getprinc user1"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Segmentation fault
builder:/etc/krb5kdc# kadmin.local -q "getprinc K/M"
Authenticating as principal root/[EMAIL PROTECTED] with password.
Principal: K/[EMAIL PROTECTED]
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 03 13:37:44 CEST 2008 ([EMAIL PROTECTED])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: DISALLOW_ALL_TIX REQUIRES_PRE_AUTH
Policy: [none]
builder:/etc/krb5kdc# /etc/init.d/krb5-kdc start
builder:/etc/krb5kdc# kinit user1
Password for [EMAIL PROTECTED]:
builder:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/03/08 13:55:37 07/03/08 23:55:37 krbtgt/[EMAIL PROTECTED]
renew until 07/04/08 13:55:34
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
builder:/etc/krb5kdc# kdestroy
builder:/etc/krb5kdc# kinit user2
kinit(v5): Generic error (see e-text) while getting initial credentials
and here is log message:
Jul 03 13:55:58 builder krb5kdc[7486](info): AS_REQ (7 etypes {18 17 16 23 1 3
2}) 158.195.31.111: LOOKING_UP_CLIENT: [EMAIL PROTECTED] for krbtgt/[EMAIL
PROTECTED], Invalid argument
--
Matej Zagiba
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
