try to change
==========================
[domain_realm]
.example.es = example.ES
example.es = example.ES
==========================
to
==========================
[domain_realm]
.example.es = EXAMPLE.ES
example.es = EXAMPLE.ES
Il giorno 06 marzo 2012 13:31, Arturo Borrero Gonzalez <
cer.i...@linuxmail.org> ha scritto:
> Hi there!
>
> I'm using the package krb5-kdc-ldap to use mi kerberos with LDAP backend.
> I've followed the debian and ubuntu documentation and I find some
> issues I can't solve:
>
> · I fill the LDAP tree using the "kdb5_ldap_util" as seen in
> documentation. The LDAP server is correctly written.
> · The stash are created, with the neccesary credentials.
> · When initializing the admin interface, with kadmin.local, i get:
>
> kadmind[26023](Error): Can not fetch master key (error: Cannot
> find/read stored master key). while initializing, aborting
>
> The same when starting the service in /etc/init.d. In both cases, the
> LDAP server is strongly readed:
>
> krb5kdc: Can not fetch master key (error: Cannot find/read stored
> master key). - while fetching master key K/M for realm EXAMPLE.ES
>
> So, I think the options are:
> 1) In the LDAP server some information is missing (a bug in
> kdb5_ldap_util?)
> 2) There is something I don't understand in the procedure.
>
> My config is:
>
> ##################
> cat /etc/krb5.conf
>
> [libdefaults]
> default_realm = EXAMPLE.ES
> forwadable = true
> proxiable = true
>
> [realms]
>
> EXAMPLE.ES = {
> kdc = krb-krb.example.es
> admin_server = krb-krb.example.es
> default_domain = example.es
> database_module = openldap_ldapconf
> }
>
> [domain_realm]
> .example.es = example.ES
> example.es = example.ES
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> [logging]
> kdc = FILE:/var/log/kerberos/krb5kdc.log
> admin_server = FILE:/var/log/kerberos/kadmin.log
> default = FILE:/var/log/kerberos/krb5lib.log
>
> [dbdefaults]
> ldap_kerberos_container_dn = ou=krb5,dc=example,dc=es
>
> [dbmodules]
> openldap_ldapconf = {
> db_library = kldap
> ldap_kdc_dn = "cn=admin,dc=example,dc=es"
>
> # this object needs to have read rights on
> # the realm container, principal container and realm
> sub-trees
> ldap_kadmind_dn = "cn=admin,dc=example,dc=es"
>
> # this object needs to have read and write rights on
> # the realm container, principal container and realm
> sub-trees
> ldap_service_password_file = /etc/krb5kdc/service.keyfile
> ldap_servers = ldap://krb-ldap.example.es
> ldap_conns_per_server = 5
> }
>
> ##################
>
> cat /etc/krb5kdc/kdc.conf
>
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> example.ES = {
> database_name = /var/lib/krb5kdc/principal
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/service.keyfile
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = aes256-cts:normal arcfour-hmac:normal
> des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
> des:onlyrealm des:$
> default_principal_flags = +preauth
> }
>
>
> ######################
>
> kadmin.local debug (strace). In pastebin because there are a lot of lines:
> http://pastebin.com/h7fLYFKD
>
> Any idea?
>
> Best regards.
>
> --
> /* Arturo Borrero Gonzalez || cer.i...@linuxmail.org */
> /* Use debian gnu/linux! Best OS ever! */
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> http://lists.debian.org/capfcjauewo-oqpclagji+o5e-mcv7xyfxkoaqjdyd7jrv_e...@mail.gmail.com
>
>
--
esta es mi vida e me la vivo hasta que dios quiera
