Forgetting something? krb5kdc: No such file or directory - while initializing database for realm COMCAST.COM

Wed, 11 Mar 2009 11:16:58 -0700 

I am trying to start up a freshly installed/configured MIT kerberos
(1.6.1-31) implementation, but I am obviously missing something.  I am using
an LDAP backend, but the service will not start. Here is what I have done,
can anyone see something I am missing? Or know of a way I can get more
logging?  Thanks.

1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm

2. Modified /etc/krb5.conf to include ldap information:
[dbdefaults]
 ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
[dbmodules]
 openldap_ldapconf = {
  db_library = kldap
  ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
  ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
  # this object needs to have read rights on
  # the realm container, principal container and realm sub-trees
  ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
  # this object needs to have read and write rights on
  # the realm container, principal container and realm sub-trees
  ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile
  ldap_servers = ldap://kdc01.security.lab.comcast.net
  ldap_conns_per_server = 5
 }

3. Created the ldap users (kadmin, kdc)

4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util -H
ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -subtrees
'dc=comcast,dc=com' -r COMCAST.NET ­s)

5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/kdc5.keyfile
using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f
/var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com')

6. Modified ldap ACL as according to
http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html but with
my kadmin/kdc name and my dn
(using ldap 2.4.15 ­ with new cn=config)
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to attrs=userPassword,userPKCS12 by self write
           by * read
olcAccess: to dn.subtree="dc=comcast,dc=com" by
dn.exact="cn=kdc,dc=comcast,dc=com" read
           by dn.exact="cn=kadmin,dc=comcast,dc=com" write
           by * none
olcAccess: to dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com"
by dn.exact="cn=kdc,dc=comcast,dc=com" read
           by dn.exact="cn=kadmin,dc=comcast,dc=com" write
           by * none
olcAccess: to * by * read

7. Confirmed I can ldapsearch with kadmin and kdc ldap users

8. Tried to start krb5kdc - /etc/init.d/krb5kdc start:
[r...@kdc01 krb5kdc]# /etc/init.d/krb5kdc start
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm COMCAST.COM - see
log file for details
                                                           [FAILED]
[r...@kdc01 krb5kdc]# cat /var/log/krb5kdc.log
krb5kdc: No such file or directory - while initializing database for realm
COMCAST.COM

Any ideas?  Thanks for any help.

-- 
MAT

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to