[Touch-packages] [Bug 1363897] Re: kdb5_ldap_util can not create krbContainer
The on the whole very usefully documentation in https://help.ubuntu.com/lts/serverguide is still not updated to Gabriel Burkholder's message from 2015-01-11: - https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html Next, use the kdb5_ldap_util utility to create the realm: sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com -- So setting up an kerberos server on ldap in ubuntu 16.04 is still a pain. What is do to to fix the documention? PS: I collected a lot of scripts for setting up an kerberos on ldap and other server in: https://github.com/edvapp/networkbox if they are useful for more people, any useful hints to make them more known? Thanks Reinhard -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1363897 Title: kdb5_ldap_util can not create krbContainer Status in krb5 package in Ubuntu: Confirmed Bug description: Following instructions on https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html creating the initial database with kdb5_ldap_util (>>sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn) fails with error message: >>kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN' after reading these mails http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509 setting up loglevel for slapd in syslog, following error message can be found: -- Sep 1 09:52:19 ldap01 slapd[1165]: ==> hdb_add: dc=app,dc=tsn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass "krbContainer" Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "objectClass" Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "cn" Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "structuralObjectClass" Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "dc" Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65) --- System: Ubuntu 14.04 LTS slapd 2.4.31-1+nmu amd64 krb5-config2.3 krb5-kdc 1.12+dfsg-2u amd64 krb5-kdc-ldap 1.12+dfsg-2u amd64 krb5-locales 1.12+dfsg-2u krb5-user 1.12+dfsg-2u amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1363897] Re: kdb5_ldap_util can not create krbContainer
Just appears to be an issue with the documentation as noted by Gabriels previously linked bug report https://bugs.launchpad.net/serverguide/+bug/1409392 Can confirm that following the guide but making the change highlighted by https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/comments/3 the containers look to have been created successfully and kadmin looks populated, it was also able to add the kerberos attributes to an existing user in the ldap database. This was all without making any other changes, so regarding Rob's query the kdb5_ldap_util create line stayed as is. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1363897 Title: kdb5_ldap_util can not create krbContainer Status in krb5 package in Ubuntu: Confirmed Bug description: Following instructions on https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html creating the initial database with kdb5_ldap_util (sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn) fails with error message: kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN' after reading these mails http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509 setting up loglevel for slapd in syslog, following error message can be found: -- Sep 1 09:52:19 ldap01 slapd[1165]: == hdb_add: dc=app,dc=tsn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass krbContainer Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type objectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type cn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type structuralObjectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type dc Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65) --- System: Ubuntu 14.04 LTS slapd 2.4.31-1+nmu amd64 krb5-config2.3 krb5-kdc 1.12+dfsg-2u amd64 krb5-kdc-ldap 1.12+dfsg-2u amd64 krb5-locales 1.12+dfsg-2u krb5-user 1.12+dfsg-2u amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1363897] Re: kdb5_ldap_util can not create krbContainer
Should the following lines also be changed? E.g.: sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com Does that dc=example,dc=com need to be replaced with cn=krbContainer,dc=example,dc=com? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1363897 Title: kdb5_ldap_util can not create krbContainer Status in krb5 package in Ubuntu: Confirmed Bug description: Following instructions on https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html creating the initial database with kdb5_ldap_util (sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn) fails with error message: kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN' after reading these mails http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509 setting up loglevel for slapd in syslog, following error message can be found: -- Sep 1 09:52:19 ldap01 slapd[1165]: == hdb_add: dc=app,dc=tsn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass krbContainer Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type objectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type cn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type structuralObjectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type dc Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65) --- System: Ubuntu 14.04 LTS slapd 2.4.31-1+nmu amd64 krb5-config2.3 krb5-kdc 1.12+dfsg-2u amd64 krb5-kdc-ldap 1.12+dfsg-2u amd64 krb5-locales 1.12+dfsg-2u krb5-user 1.12+dfsg-2u amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1363897] Re: kdb5_ldap_util can not create krbContainer
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: krb5 (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1363897 Title: kdb5_ldap_util can not create krbContainer Status in krb5 package in Ubuntu: Confirmed Bug description: Following instructions on https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html creating the initial database with kdb5_ldap_util (sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn) fails with error message: kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN' after reading these mails http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509 setting up loglevel for slapd in syslog, following error message can be found: -- Sep 1 09:52:19 ldap01 slapd[1165]: == hdb_add: dc=app,dc=tsn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass krbContainer Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type objectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type cn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type structuralObjectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type dc Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65) --- System: Ubuntu 14.04 LTS slapd 2.4.31-1+nmu amd64 krb5-config2.3 krb5-kdc 1.12+dfsg-2u amd64 krb5-kdc-ldap 1.12+dfsg-2u amd64 krb5-locales 1.12+dfsg-2u krb5-user 1.12+dfsg-2u amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1363897] Re: kdb5_ldap_util can not create krbContainer
Edit /etc/krb5.conf, and change the section: [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com to [dbdefaults] ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com This issue appears to have been introduced in kdb5_ldap_util 1.12: http://mailman.mit.edu/pipermail/kerberos/2014-March/019575.html Basically, you have to start ldap_kerberos_container_dn with a 'cn'. Unfortunately, I believe the official Ubuntu LTS documentation is to blame here. Anyone following those directions is going to run into this issue: https://help.ubuntu.com/14.04/serverguide/kerberos-ldap.html#kerberos-ldap-primary-kdc -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1363897 Title: kdb5_ldap_util can not create krbContainer Status in krb5 package in Ubuntu: Confirmed Bug description: Following instructions on https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html creating the initial database with kdb5_ldap_util (sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn) fails with error message: kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN' after reading these mails http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509 setting up loglevel for slapd in syslog, following error message can be found: -- Sep 1 09:52:19 ldap01 slapd[1165]: == hdb_add: dc=app,dc=tsn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass krbContainer Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type objectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type cn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type structuralObjectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type dc Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65) --- System: Ubuntu 14.04 LTS slapd 2.4.31-1+nmu amd64 krb5-config2.3 krb5-kdc 1.12+dfsg-2u amd64 krb5-kdc-ldap 1.12+dfsg-2u amd64 krb5-locales 1.12+dfsg-2u krb5-user 1.12+dfsg-2u amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1363897] Re: kdb5_ldap_util can not create krbContainer
I've submitted a documentation bug report here: https://bugs.launchpad.net/serverguide/+bug/1409392 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1363897 Title: kdb5_ldap_util can not create krbContainer Status in krb5 package in Ubuntu: Confirmed Bug description: Following instructions on https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html creating the initial database with kdb5_ldap_util (sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn) fails with error message: kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN' after reading these mails http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509 setting up loglevel for slapd in syslog, following error message can be found: -- Sep 1 09:52:19 ldap01 slapd[1165]: == hdb_add: dc=app,dc=tsn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass krbContainer Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type objectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type cn Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type structuralObjectClass Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type dc Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65) --- System: Ubuntu 14.04 LTS slapd 2.4.31-1+nmu amd64 krb5-config2.3 krb5-kdc 1.12+dfsg-2u amd64 krb5-kdc-ldap 1.12+dfsg-2u amd64 krb5-locales 1.12+dfsg-2u krb5-user 1.12+dfsg-2u amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
