Hello! I've configured kerberos with an LDAP backend and I'm now trying to fill it with users.
System: RHEL5 Kerberos: 1.6.1-70.el5 (MIT) LDAP: openldap-ltb-2.4.28-1.el5 Kerberos is talking to the local LDAP via LDAPI. The setup is working for all principals in the kerberos container. I can do a kinit an get a ticket... I also did an kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees ou=people,dc=uni-koeln,dc=de I did an ldapadd for some testusers followed by an addprinc for each testuser. A listprincs shows the principals of these testusers. But when I try to do a kinit I get this: kinit a0537 kinit(v5): Client not found in Kerberos database while getting initial credentials This happens for each principal in the ou=People. The ldapsearch with the first part of the krb5 request in the LDAP log shows this: ldapsearch -x -ZZ -H ldap://... -D cn=... -W "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" scope=2 deref=0 Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) # requesting: scope=2 deref=0 # # a0537, People, uni-koeln.de dn: uid=a0537,ou=People,dc=uni-koeln,dc=de # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 So the principal is in the tree. The complete krb5 request in the LDAP log looks like this: slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi) slapd[9882]: conn=230710 op=0 BIND dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128 slapd[9882]: conn=230710 op=0 BIND dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0 slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text= slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[9882]: conn=230710 op=2 SRCH base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences I don't understand what is happening. And I don't know, where to look. Regards Berthold Cogel ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
