Hello, did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the container this change some versions ago.
[dbmodules] LDAP = { db_library = kldap ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de .... } - Thorsten Von meinem iPhone gesendet > Am 07.11.2016 um 17:14 schrieb Dr. Lars Hanke <deb...@lhanke.de>: > >> Am 07.11.2016 um 15:06 schrieb Todd Grayson: >> From that error message you need to provide the schema file for the >> kerebros ldap objects to your directory instance. Can we assume you >> followed top down the instructions from here? >> >> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html > Yes, this is my main source. It seems I have the schema on my LDAP: > > ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn' > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base <cn=schema,cn=config> with scope subtree > # filter: (objectclass=*) > # requesting: dn > # > > # schema, config > dn: cn=schema,cn=config > > # {0}core, schema, config > dn: cn={0}core,cn=schema,cn=config > > # {1}cosine, schema, config > dn: cn={1}cosine,cn=schema,cn=config > > # {2}nis, schema, config > dn: cn={2}nis,cn=schema,cn=config > > # {3}inetorgperson, schema, config > dn: cn={3}inetorgperson,cn=schema,cn=config > > # {4}samba, schema, config > dn: cn={4}samba,cn=schema,cn=config > > # {5}kerberos, schema, config > dn: cn={5}kerberos,cn=schema,cn=config > > # search result > search: 2 > result: 0 Success > > # numResponses: 8 > # numEntries: 7 > > I admit that I did not understand why in that Howto many more schemas > were included to produce the LDIF for the Kerberos schema, but at least > OpenLDAP did accept it. > > Thanks, > - lars. >> >> >> >> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <deb...@lhanke.de >> <mailto:deb...@lhanke.de>> wrote: >> >> I'm currently setting up a new KDC for a new domain. I also have a >> shiny >> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is >> fine, there is no specific data in it yet. >> >> Trying to create the Kerberos container, I get the following error: >> >> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees >> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE> >> -s -H ldap:/// >> Password for "cn=admin,dc=microsult,dc=de": >> Initializing database for realm 'UAC.MICROSULT.DE >> <http://UAC.MICROSULT.DE>' >> You will be prompted for the database Master Password. >> It is important that you NOT FORGET this password. >> Enter KDC database master key: >> Re-enter KDC database master key to verify: >> kdb5_ldap_util: Kerberos Container create FAILED: Object class >> violation >> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>' >> >> I read somewhere that this may be due to the kerberos container not >> being a CN attribute. Actually I see in the debug trace of >> OpenLDAP that >> it denies dc=microsult,dc=de since it's not a CN. >> >> Am I supposed to create a CN node under my TLD and use this? I don't >> quite understand how the final layout in LDAP is supposed to be >> and how >> to put that into arguments for kdb5_ldap_util. >> >> Any closer explanation is appreciated. Thanks for your help, >> >> - lars. >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu> >> https://mailman.mit.edu/mailman/listinfo/kerberos >> <https://mailman.mit.edu/mailman/listinfo/kerberos> >> >> >> >> >> -- >> Todd Grayson >> Business Operations Manager >> Customer Operations Engineering >> Security SME >> > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos