Hi there,
I am having trouble configuring a machine to work with Kerberos and OpenDS.
I will describe you the architecture, then post the configuration and then
the logs.
- *Architecture*
I am running Kerberos and OpenDS on the same machine, RHEL 5.7, named
ldapserver
- *Configuration*
*krb5.conf*
[libdefaults]
default_realm = MYDOMAIN.COM <http://mydomain.com/>
[realms]
MYDOMAIN.COM <http://mydomain.com/> = {
kdc = ldapserver.mydomain.com
admin_server = ldapserver.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM <http://mydomain.com/>
[logging]
kdc = FILE=/var/log/krb5kdc.log
admin_server = FILE=/var/log/kadm5.log
*
*
*kdc.conf*
[kdcdefaults]
kdc_ports = 88, 750
[realms]
MYDOMAIN.COM <http://mydomain.com/> = {
profile = /etc/krb5.conf
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = /usr/local/var/krb5kdc//kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
*kadmin.local: getprincs*
K/[email protected]
host/ldapserver@MYDOMAIN .COM
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
[email protected]
krbtgt/[email protected]
ldap/[email protected]
[email protected]
root/[email protected]
*# klist -k /usr/local/var/krb5kdc/kadm5.keytab *
Keytab name: FILE:/usr/local/var/krb5kdc/kadm5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
6 kadmin/[email protected]
6 kadmin/[email protected]
6 kadmin/[email protected]
6 kadmin/[email protected]
6 kadmin/[email protected]
6 kadmin/[email protected]
6 kadmin/[email protected]
6 kadmin/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
*# klist -k /root/opends/config/opends.keytab*
Keytab name: FILE:/root/opends/config/opends.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
========================================================================================================
Then, I run kinit kerberos-test:
*# kinit kerberos-test*
Password for [email protected]:
[root@ldapserver etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
02/20/12 19:23:29 02/21/12 03:23:29 krbtgt/[email protected]
renew until 02/21/12 19:23:29
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
========================================================================================================
*# ldapsearch -h ldapserver.mydomain.com -p 389 -o mech=GSSAPI -o authid="
[email protected]" -b "dc=example,dc=com" -s base "(objectClass=*)"
*
Password for user '[email protected]':
An error occurred while attempting to perform GSSAPI authentication to the
Directory Server: PrivilegedActionException(null:-2) Result Code: 82
(Local Error)
*And This is the log in /var/log/krb5kdc.log*
Feb 20 19:26:13 ldapserver krb5kdc[15295](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: ISSUE: authtime 1329762373, etypes {rep=23 tkt=18
ses=23}, [email protected] for krbtgt/
MYDOMAIN.COM<http://mydomain.com/>
@MYDOMAIN.COM <http://mydomain.com/>
Feb 20 19:26:13 ldapserver krb5kdc[15295](info): TGS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: UNKNOWN_SERVER: authtime 0, kerberos-test@
MYDOMAIN.COM <http://mydomain.com/> for ldap/
[email protected], Server not found in Kerberos database
What am I missing? I have the OpenDS configured to use the file
opends.keytab which contains info on the kdc server but it seems not to be
able to find it.
Can anyone help me solving this? I will be glad to provide any inputs on
this.
Note that the domain name mydomain.com and the REALM
MYDOMAIN.COM<http://mydomain.com/> are
ficticious but coherent to my configuration.
Many thanks in advance.
Best regards
Tiago Pires
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
