My problem was actually a typo. In my realm, I had: database_module = opeldap_ldapconf
Which did not match opeNldap_ldapconf¹ MAT On 3/11/09 9:15 AM, "Mathew Rowley" <[email protected]> wrote: > I am trying to start up a freshly installed/configured MIT kerberos > (1.6.1-31) implementation, but I am obviously missing something. I am using > an LDAP backend, but the service will not start. Here is what I have done, > can anyone see something I am missing? Or know of a way I can get more > logging? Thanks. > > 1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm > > 2. Modified /etc/krb5.conf to include ldap information: > [dbdefaults] > ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com > [dbmodules] > openldap_ldapconf = { > db_library = kldap > ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com > ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com" > # this object needs to have read rights on > # the realm container, principal container and realm sub-trees > ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com" > # this object needs to have read and write rights on > # the realm container, principal container and realm sub-trees > ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile > ldap_servers = ldap://kdc01.security.lab.comcast.net > ldap_conns_per_server = 5 > } > > 3. Created the ldap users (kadmin, kdc) > > 4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util -H > ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -subtrees > 'dc=comcast,dc=com' -r COMCAST.NET s) > > 5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/kdc5.keyfile > using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f > /var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com') > > 6. Modified ldap ACL as according to > http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html but with > my kadmin/kdc name and my dn > (using ldap 2.4.15 with new cn=config) > olcAccess: to dn.base="" by * read > olcAccess: to dn.base="cn=Subschema" by * read > olcAccess: to attrs=userPassword,userPKCS12 by self write > by * read > olcAccess: to dn.subtree="dc=comcast,dc=com" by > dn.exact="cn=kdc,dc=comcast,dc=com" read > by dn.exact="cn=kadmin,dc=comcast,dc=com" write > by * none > olcAccess: to dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com" > by dn.exact="cn=kdc,dc=comcast,dc=com" read > by dn.exact="cn=kadmin,dc=comcast,dc=com" write > by * none > olcAccess: to * by * read > > 7. Confirmed I can ldapsearch with kadmin and kdc ldap users > > 8. Tried to start krb5kdc - /etc/init.d/krb5kdc start: > [r...@kdc01 krb5kdc]# /etc/init.d/krb5kdc start > Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm COMCAST.COM - see > log file for details > [FAILED] > [r...@kdc01 krb5kdc]# cat /var/log/krb5kdc.log > krb5kdc: No such file or directory - while initializing database for realm > COMCAST.COM > > Any ideas? Thanks for any help. > > -- > MAT > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- MAT ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
