Am 19.10.2012 20:59, schrieb Bob Liu: > It depends on how you have your "krb5.conf" configured... you might want > to try the following kinit instead and see... > > kinit [email protected] > > > >> Date: Fri, 19 Oct 2012 20:02:41 +0200 >> From: [email protected] >> To: [email protected]; [email protected] >> Subject: Re: kinit failure with Kerberos and LDAP backend >> >> Hi, >> >> is there any difference in the output of the following two search > requests? >> >> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ >> -b ou=People,dc=uni-koeln,dc=de \ >> >> > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >> >> >> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ >> -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \ >> >> > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >> >> Regards, >> >> Mark >> >> >> Am 19.10.2012 16:05, schrieb Berthold Cogel: >> > Hello! >> > >> > I've configured kerberos with an LDAP backend and I'm now trying to fill >> > it with users. >> > >> > System: RHEL5 >> > Kerberos: 1.6.1-70.el5 (MIT) >> > LDAP: openldap-ltb-2.4.28-1.el5 >> > >> > Kerberos is talking to the local LDAP via LDAPI. >> > >> > The setup is working for all principals in the kerberos container. I can >> > do a kinit an get a ticket... >> > I also did an >> > kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees >> > ou=people,dc=uni-koeln,dc=de >> > >> > I did an ldapadd for some testusers followed by an addprinc for each >> > testuser. A listprincs shows the principals of these testusers. >> > >> > But when I try to do a kinit I get this: >> > >> > kinit a0537 >> > kinit(v5): Client not found in Kerberos database while getting initial >> > credentials >> > >> > This happens for each principal in the ou=People. >> > >> > The ldapsearch with the first part of the krb5 request in the LDAP log >> > shows this: >> > >> > ldapsearch -x -ZZ -H ldap://... -D cn=... -W >> > > "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >> > scope=2 deref=0 >> > Enter LDAP Password: >> > # extended LDIF >> > # >> > # LDAPv3 >> > # base <> with scope subtree >> > # filter: >> > > (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) >> > # requesting: scope=2 deref=0 >> > # >> > >> > # a0537, People, uni-koeln.de >> > dn: uid=a0537,ou=People,dc=uni-koeln,dc=de >> > >> > # search result >> > search: 3 >> > result: 0 Success >> > >> > # numResponses: 2 >> > # numEntries: 1 >> > >> > >> > So the principal is in the tree. The complete krb5 request in the LDAP >> > log looks like this: >> > >> > >> > slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi >> > (PATH=/var/run/ldapi) >> > slapd[9882]: conn=230710 op=0 BIND >> > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128 >> > slapd[9882]: conn=230710 op=0 BIND >> > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0 >> > slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text= >> > slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de" >> > scope=2 deref=0 >> > > filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >> > >> > slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass >> > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >> > krbprincipalexpiration krbticketpolicyreference krbUpEnabled >> > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >> > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >> > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >> > krbExtraData krbObjectReferences >> > slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 > text= >> > slapd[9882]: conn=230710 op=2 SRCH >> > base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2 >> > deref=0 >> > > filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >> > >> > slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass >> > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >> > krbprincipalexpiration krbticketpolicyreference krbUpEnabled >> > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >> > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >> > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >> > krbExtraData krbObjectReferences >> > >> > >> > I don't understand what is happening. And I don't know, where to look. >> > >> > >> > Regards >> > >> > Berthold Cogel >> > ________________________________________________ >> > Kerberos mailing list [email protected] >> > https://mailman.mit.edu/mailman/listinfo/kerberos >> > >> >> >> -- >> Mark Pröhl >> [email protected] >> www.kerberos-buch.de >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos
I'm getting the same response: kinit a0537 kinit(v5): Client not found in Kerberos database while getting initial credentials kinit [email protected] kinit(v5): Client not found in Kerberos database while getting initial credentials Regards Berthold ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
