Tags Tags

Problem with Kerberos5 using LDAP backend

March 06th, 2012 - 07:40 am ET by Arturo Borrero Gonzalez | Report spam
Help Create a new topic
Hi there!

I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
I've followed the debian and ubuntu documentation and I find some
issues I can't solve:

· I fill the LDAP tree using the "kdb5_ldap_util" as seen in
documentation. The LDAP server is correctly written.
· The stash are created, with the neccesary credentials.
· When initializing the admin interface, with kadmin.local, i get:

kadmind[26023](Error): Can not fetch master key (error: Cannot
find/read stored master key). while initializing, aborting

The same when starting the service in /etc/init.d. In both cases, the
LDAP server is strongly readed:

krb5kdc: Can not fetch master key (error: Cannot find/read stored
master key). - while fetching master key K/M for realm EXAMPLE.ES

So, I think the options are:
1) In the LDAP server some information is missing (a bug in kdb5_ldap_util?)
2) There is something I don't understand in the procedure.

My config is:

##################
cat /etc/krb5.conf

[libdefaults]
default_realm = EXAMPLE.ES
forwadable = true
proxiable = true

[realms]

EXAMPLE.ES = {
kdc = krb-krb.example.es
admin_server = krb-krb.example.es
default_domain = example.es
database_module = openldap_ldapconf
}

[domain_realm]
.example.es = example.ES
example.es = example.ES

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=es"

# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=es"

# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://krb-ldap.example.es
ldap_conns_per_server = 5
}

##################

cat /etc/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 750,88

[realms]
example.ES = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/service.keyfile
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:$
default_principal_flags = +preauth
}


######################

kadmin.local debug (strace). In pastebin because there are a lot of lines:
http://pastebin.com/h7fLYFKD

Any idea?

Best regards.

/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAPfcJauewO...D7Jrv_eV3Q@mail.gmail.com
email Follow the discussionReplies 2 repliesReplies Make a reply

Similar topics

Replies

#1 emmanuel segura
March 06th, 2012 - 08:20 am ET | Report spam

try to change
==
[domain_realm]
.example.es = example.ES
example.es = example.ES
==
to
==
[domain_realm]
.example.es = EXAMPLE.ES
example.es = EXAMPLE.ES


Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez <
ha scritto:

Hi there!

I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
I've followed the debian and ubuntu documentation and I find some
issues I can't solve:

· I fill the LDAP tree using the "kdb5_ldap_util" as seen in
documentation. The LDAP server is correctly written.
· The stash are created, with the neccesary credentials.
· When initializing the admin interface, with kadmin.local, i get:

kadmind[26023](Error): Can not fetch master key (error: Cannot
find/read stored master key). while initializing, aborting

The same when starting the service in /etc/init.d. In both cases, the
LDAP server is strongly readed:

krb5kdc: Can not fetch master key (error: Cannot find/read stored
master key). - while fetching master key K/M for realm EXAMPLE.ES

So, I think the options are:
1) In the LDAP server some information is missing (a bug in
kdb5_ldap_util?)
2) There is something I don't understand in the procedure.

My config is:

##################
cat /etc/krb5.conf

[libdefaults]
default_realm = EXAMPLE.ES
forwadable = true
proxiable = true

[realms]

EXAMPLE.ES = {
kdc = krb-krb.example.es
admin_server = krb-krb.example.es
default_domain = example.es
database_module = openldap_ldapconf
}

[domain_realm]
.example.es = example.ES
example.es = example.ES

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=es"

# this object needs to have read rights on
# the realm container, principal container and realm
sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=es"

# this object needs to have read and write rights on
# the realm container, principal container and realm
sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://krb-ldap.example.es
ldap_conns_per_server = 5
}

##################

cat /etc/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 750,88

[realms]
example.ES = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/service.keyfile
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:$
default_principal_flags = +preauth
}


######################

kadmin.local debug (strace). In pastebin because there are a lot of lines:
http://pastebin.com/h7fLYFKD

Any idea?

Best regards.

/* Arturo Borrero Gonzalez || */
/* Use debian gnu/linux! Best OS ever! */


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Archive:
http://lists.debian.org/CAPfcJauewO-OQPCLAgJi+






esta es mi vida e me la vivo hasta que dios quiera


try to change<br>==<br>[domain_realm]<br>
       .<a href="http://example.es/" target="_blank">example.es</a> = example.ES<br>
       <a href="http://example.es/" target="_blank">example.es</a> = example.ES<br>
==<br>to<br>==<br>[domain_realm]<br>
       .<a href="http://example.es/" target="_blank">example.es</a> = <a href="http://EXAMPLE.ES">EXAMPLE....<br>
       <a href="http://example.es/" target="_blank">example.es</a> = <a href="http://EXAMPLE.ES">EXAMPLE....<br>
<br><br><div class="gmail_quote">Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez <span dir="ltr">&lt;<a href="mailto:"></a>&gt;</span> ha scritto:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi there!<br>
<br>
I&#39;m using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.<br>
I&#39;ve followed the debian and ubuntu documentation and I find some<br>
issues I can&#39;t solve:<br>
<br>
· I fill the LDAP tree using the &quot;kdb5_ldap_util&quot; as seen in<br>
documentation. The LDAP server is correctly written.<br>
· The stash are created, with the neccesary credentials.<br>
· When initializing the admin interface, with kadmin.local, i get:<br>
<br>
kadmind[26023](Error): Can not fetch master key (error: Cannot<br>
find/read stored master key). while initializing, aborting<br>
<br>
The same when starting the service in /etc/init.d. In both cases, the<br>
LDAP server is strongly readed:<br>
<br>
krb5kdc: Can not fetch master key (error: Cannot find/read stored<br>
master key). - while fetching master key K/M for realm <a href="http://EXAMPLE.ES" target="_blank">EXAMPLE.ES</a><br>
<br>
So, I think the options are:<br>
1) In the LDAP server some information is missing (a bug in kdb5_ldap_util?)<br>
2) There is something I don&#39;t understand in the procedure.<br>
<br>
My config is:<br>
<br>
##################<br>
cat /etc/krb5.conf<br>
<br>
[libdefaults]<br>
       default_realm = <a href="http://EXAMPLE.ES" target="_blank">EXAMPLE.ES</a><br>
       forwadable = true<br>
       proxiable = true<br>
<br>
[realms]<br>
<br>
       <a href="http://EXAMPLE.ES" target="_blank">EXAMPLE.ES</a> = {<br>
               kdc = <a href="http://krb-krb.example.es" target="_blank">krb-krb.example.es</a><br>
               admin_server = <a href="http://krb-krb.example.es" target="_blank">krb-krb.example.es</a><br>
               default_domain = <a href="http://example.es" target="_blank">example.es</a><br>
               database_module = openldap_ldapconf<br>
       }<br>
<br>
[domain_realm]<br>
       .<a href="http://example.es" target="_blank">example.es</a> = example.ES<br>
       <a href="http://example.es" target="_blank">example.es</a> = example.ES<br>
<br>
[login]<br>
       krb4_convert = true<br>
       krb4_get_tickets = false<br>
<br>
[logging]<br>
       kdc = FILE:/var/log/kerberos/krb5kdc.log<br>
       admin_server = FILE:/var/log/kerberos/kadmin.log<br>
       default = FILE:/var/log/kerberos/krb5lib.log<br>
<br>
[dbdefaults]<br>
       ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es<br>
<br>
[dbmodules]<br>
       openldap_ldapconf = {<br>
               db_library = kldap<br>
               ldap_kdc_dn = &quot;cn=admin,dc=example,dc=es&quot;<br>
<br>
               # this object needs to have read rights on<br>
               # the realm container, principal container and realm sub-trees<br>
               ldap_kadmind_dn = &quot;cn=admin,dc=example,dc=es&quot;<br>
<br>
               # this object needs to have read and write rights on<br>
               # the realm container, principal container and realm sub-trees<br>
               ldap_service_password_file = /etc/krb5kdc/service.keyfile<br>
               ldap_servers = ldap://<a href="http://krb-ldap.example.es" target="_blank">krb-ldap.example.es</a><br>
               ldap_conns_per_server = 5<br>
       }<br>
<br>
##################<br>
<br>
cat /etc/krb5kdc/kdc.conf<br>
<br>
[kdcdefaults]<br>
   kdc_ports = 750,88<br>
<br>
[realms]<br>
   example.ES = {<br>
       database_name = /var/lib/krb5kdc/principal<br>
       acl_file = /etc/krb5kdc/kadm5.acl<br>
       key_stash_file = /etc/krb5kdc/service.keyfile<br>
       kdc_ports = 750,88<br>
       max_life = 10h 0m 0s<br>
       max_renewable_life = 7d 0h 0m 0s<br>
       master_key_type = des3-hmac-sha1<br>
       supported_enctypes = aes256-cts:normal arcfour-hmac:normal<br>
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm<br>
des:onlyrealm des:$<br>
       default_principal_flags = +preauth<br>
   }<br>
<br>
<br>
######################<br>
<br>
kadmin.local debug (strace). In pastebin because there are a lot of lines:<br>
<a href="http://pastebin.com/h7fLYFKD" target="_blank">http://pastebin.com/h7fLYFKD</a><br>
<br>
Any idea?<br>
<br>
Best regards.<br>
<span class="HOEnZb"><font color="#888888"><br>
/* Arturo Borrero Gonzalez || <a href="mailto:"></a> */<br>
/* Use debian gnu/linux! Best OS ever! */<br>
<br>
<br>
To UNSUBSCRIBE, email to <a href="mailto:"></a><br>
with a subject of &quot;unsubscribe&quot;. Trouble? Contact <a href="mailto:"></a><br>
Archive: <a href="http://lists.debian.org/CAPfcJauewO...gJi+" target="_blank">http://lists.debian.org/CAPfcJauewO...<br>

<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>esta es mi vida e me la vivo hasta que dios quiera<br>



To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAE7pJ3C0gc...1r3zRcV2s=
Replies Reply to this message
#2 Arturo Borrero Gonzalez
March 06th, 2012 - 10:20 am ET | Report spam
2012/3/6 emmanuel segura :
try to change
=>
[domain_realm]
       .example.es = example.ES
       example.es = example.ES
=> to
=> [domain_realm]
       .example.es = EXAMPLE.ES
       example.es = EXAMPLE.ES


Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez
ha scritto:

Hi there!

I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
I've followed the debian and ubuntu documentation and I find some
issues I can't solve:

· I fill the LDAP tree using the "kdb5_ldap_util" as seen in
documentation. The LDAP server is correctly written.
· The stash are created, with the neccesary credentials.
· When initializing the admin interface, with kadmin.local, i get:

kadmind[26023](Error): Can not fetch master key (error: Cannot
find/read stored master key). while initializing, aborting

The same when starting the service in /etc/init.d. In both cases, the
LDAP server is strongly readed:

krb5kdc: Can not fetch master key (error: Cannot find/read stored
master key). - while fetching master key K/M for realm EXAMPLE.ES

So, I think the options are:
1) In the LDAP server some information is missing (a bug in
kdb5_ldap_util?)
2) There is something I don't understand in the procedure.

My config is:

##################
cat /etc/krb5.conf

[libdefaults]
       default_realm = EXAMPLE.ES
       forwadable = true
       proxiable = true

[realms]

       EXAMPLE.ES = {
               kdc = krb-krb.example.es
               admin_server = krb-krb.example.es
               default_domain = example.es
               database_module = openldap_ldapconf
       }

[domain_realm]
       .example.es = example.ES
       example.es = example.ES

[login]
       krb4_convert = true
       krb4_get_tickets = false

[logging]
       kdc = FILE:/var/log/kerberos/krb5kdc.log
       admin_server = FILE:/var/log/kerberos/kadmin.log
       default = FILE:/var/log/kerberos/krb5lib.log

[dbdefaults]
       ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es

[dbmodules]
       openldap_ldapconf = {
               db_library = kldap
               ldap_kdc_dn = "cn=admin,dc=example,dc=es"

               # this object needs to have read rights on
               # the realm container, principal container and realm
sub-trees
               ldap_kadmind_dn = "cn=admin,dc=example,dc=es"

               # this object needs to have read and write rights on
               # the realm container, principal container and realm
sub-trees
               ldap_service_password_file = /etc/krb5kdc/service.keyfile
               ldap_servers = ldap://krb-ldap.example.es
               ldap_conns_per_server = 5
       }

##################

cat /etc/krb5kdc/kdc.conf

[kdcdefaults]
   kdc_ports = 750,88

[realms]
   example.ES = {
       database_name = /var/lib/krb5kdc/principal
       acl_file = /etc/krb5kdc/kadm5.acl
       key_stash_file = /etc/krb5kdc/service.keyfile
       kdc_ports = 750,88
       max_life = 10h 0m 0s
       max_renewable_life = 7d 0h 0m 0s
       master_key_type = des3-hmac-sha1
       supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:$
       default_principal_flags = +preauth
   }


######################

kadmin.local debug (strace). In pastebin because there are a lot of lines:
http://pastebin.com/h7fLYFKD

Any idea?

Best regards.

/* Arturo Borrero Gonzalez || */
/* Use debian gnu/linux! Best OS ever! */


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Archive:
http://lists.debian.org/CAPfcJauewO-OQPCLAgJi+






esta es mi vida e me la vivo hasta que dios quiera



Hi there!

That isn't the problem. It is in lower case because I used
find&replace to hide my domain, but in the original file is in upper
case.

Best regard.

/* Arturo Borrero Gonzalez || */
/* Use debian gnu/linux! Best OS ever! */


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAPfcJat3yz..._HFvd_0Pr=
email Follow the discussion Replies Reply to this message
Help Create a new topicReplies Make a reply
Search Make your own search