f



Kerberos+LDAP: kadmin.local and kadmin show different principals

Hi,

I'm trying to configure an Ubuntu system with MIT Kerberos (v1.8.1), with LDAP as the storage back-end (Sun OpenDS v2.2.1).  I see a very odd behavior, where my host entries only show up when I list principals using 'kadmin.local', but not when I use 'kadmin'.  From what I read, the two should behave identically if kadmin.local uses the same principal to connect.

Here's what I see from the two tools.  Notice the "host/..." principal in the kadmin.local case.

root@hydrogen:/etc/krb5kdc# kadmin -p nick/admin
Authenticating as principal nick/admin with password.
Password for nick/admin@EXAMPLE.NET: 
kadmin:  list_principals
ben@EXAMPLE.NET
nick@EXAMPLE.NET
nick/admin@EXAMPLE.NET
K/M@EXAMPLE.NET
krbtgt/EXAMPLE.NET@EXAMPLE.NET
kadmin/admin@EXAMPLE.NET
kadmin/changepw@EXAMPLE.NET
kadmin/history@EXAMPLE.NET
kadmin/hydrogen@EXAMPLE.NET
kadmin:  ^D

root@hydrogen:/etc/krb5kdc# kadmin.local -p nick/admin
Authenticating as principal nick/admin with password.
kadmin.local:  list_principals
host/myhost.example.net@EXAMPLE.NET        <=== Not listed above
ben@EXAMPLE.NET
nick@EXAMPLE.NET
nick/admin@EXAMPLE.NET
K/M@EXAMPLE.NET
krbtgt/EXAMPLE.NET@EXAMPLE.NET
kadmin/admin@EXAMPLE.NET
kadmin/changepw@EXAMPLE.NET
kadmin/history@EXAMPLE.NET
kadmin/hydrogen@EXAMPLE.NET
kadmin.local:  ^D

When I look at the LDAP logs, the two commands behave quite differently.  My realm has two search trees

root@hydrogen:/etc/krb5kdc# kdb5_ldap_util -D "cn=directory manager" view
Password for "cn=directory manager": 
               Realm Name: EXAMPLE.NET                                       
                  Subtree: ou=computers,dc=example,dc=net
                  Subtree: ou=users,dc=example,dc=net

>From looking at the LDAP logs, it looks like kadmin never even queries the first subtree shown above.

Does kadmin expect different parameters to be set in krb5.conf than kadmin.local would?  The man page implies the two behave very similarly.

Any advice welcome.  I'm really pretty stumped, though I'm also a pretty novice Kerberos admin.

thanks,
-Nick


0
nick7066 (2)
1/13/2011 5:18:34 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
1107 Views

Similar Articles

[PageSpeed] 43

Reply:

Similar Artilces:

Kadmin error: "kadmin: GSS-API (or Kerberos) error while initializing kadmin interface"
Hi There, I'm setting up a test kerberos/afs realm and I'm having a problem with kadmin. kadmin and kadmin.local run fine from the kdc, but kadmin gives the folloowing error when run from another machine: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The krbadm log shows no output, but kadmin.log on the kdc shows the following: Oct 11 23:15:02 kdc1 kadmind[3821](Notice): Request: kadm5_init, coeadmin/admin@MYREALM.COM, success, client=coeadmin/admin@MYREALM.COM, service=kadmin/admin@MYREALM.COM, addr=x.x.x.191, flavor=300001 I can kinit and everything else from the client, I just can't run kadmin. both client and server are RHEL4 with MIT krb5-1.5.1. compiled from source. I get the same error using RedHat's kadmin and the source-compiled one. kdc1 is the server and as1 is the client # on kdc kadmin: listprincs K/M@MYREALM.COM coeadmin/admin@MYREALM.COM host/as1.myrealm.com@MYREALM.COM host/kdc1.myrealm.com@MYREALM.COM kadmin/admin@MYREALM.COM kadmin/kdc1.myrealm.com@MYREALM.COM kadmin/changepw@MYREALM.COM kadmin/history@MYREALM.COM krbtgt/MYREALM.COM@MYREALM.COM I had fixed a previous error about not having kadmin/kdc.myrealm.com in the DB by adding the service principal. Now I have no errors in any of the logs, just an error on the console when I run kadmin What am I missing? Jason Edgecombe Solaris & Linux Administrator Mosaic Computing Group, College of Engineering UNC-Charlotte Phone: (704) 687-3514 ______________...

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface #2
Hi, Can somebody tell me why I can't use kadmin remotely? I can start kadmin on the kdc server by using "kadmin -O". But when I tried to use /usr/kerberos/sbin/kadmin from a client machine to visit the kerberos database, the error as the email title occured. [root@gcnode029 sbin]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@test.com Valid starting Expires Service principal 07/20/06 17:54:02 07/21/06 17:54:00 krbtgt/test.com@test.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@gcnode029 sbin]# kadmin admin/admin Authenticating as principal <mailto:admin/admin@test.com> admin/admin@test.com with password. Password for <mailto:admin/admin@test.com> admin/admin@test.com: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface Thank you for any help! -- LiZhong ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Hi there, That problem may be fixed by "sync"ing the time of the server and client machines, before running kadmin. cheers, Nima D. Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca ...

Re: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface #2
Hi there, That problem may be fixed by "sync"ing the time of the server and client machines, before running kadmin. cheers, Nima D. Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kadmin help when using LDAP db (MIT kerberos)
I am relatively new to kerberos, and as part of the installation of freeipa, I am writing a script to be used by Samba for password changes. I read about kadmin.local but the man pages says "If the database is LDAP, kadmin.local need not be run on the KDC." so I am unable to use it instead of kadmin that requires a password that I do not understand very well how to supply, The fist time I started the kadmin service on a CentOS server, it says it was adding a few principals with these two commands /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}" /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success This immediately disabled the usage of kpasswd (unable to find KDC error) or kinit with a expired password how can I use the network version of kadmin in order to change a user password? which principal can i use with the right privileges: "change_password: Operation requires ``change-password'' privilege while changing password for ..." do kadmin only replaces the password? or do it reset last password change date/time and related fields? Thanks in advance ...

Kerberos Principals in LDAP
Is there any means of storing Kerberos Principals in LDAP? Even if its just something that uses the krb5_util dump utility to push/pull Principals from LDAP to the principal stash? Heimdal is not a possibility for me. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Evan" == Evan Vittitow <evan@terralab.com> writes: Evan> Is there any means of storing Kerberos Principals in LDAP? Evan> Even if its just something that uses the krb5_util dump Evan> utility to push/pull Principals from LDAP to the principal Evan> stash? Heimdal is not a possibility for me. The next version of MIT Kerberos (1.6) is expected to have an LDAP database backend. You can check out our daily development snapshots, but the release has not yet entered beta. --Sam ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

Re: kerberos
Hi Arun, You should also answer Mauricio's question, but did you know kadmin.local should only be run on the KDCs, and should only really be run on the Master KDC. If you want to connect to the Master KDC from a client or a Replica KDC, then you should run the 'admin' program. So when you say you installed kerberos on a PC, did you install it as a client system, a replica KDC or as the Master KDC ? If it is not as the Master KDC, then admin.local will not work. Kind Regards, Jeremy Hunt > > --- Original message --- > Subject: kerberos - Kad...

Re: kerberos
Sorry, my pc changed 'kadmin' to 'admin' and I did not notice it. > > --- Original message --- > Subject: Re: kerberos - Kadmin does not work > From: Jeremy Hunt <jeremyh@optimation.com.au> > To: <kerberos@mit.edu> > Date: Thursday, 05/03/2015 8:03 AM > > > > Hi Arun, > > You should also answer Mauricio's question, but did you know > kadmin.local should only be run on the KDCs, and should only really be > run on the Master KDC. > > If you want to connect to the Master KDC from a client or a Re...

kadmin: GSS-API (or Kerberos) error
Hi Guys, This is my first email to this mailing list. I've encountered some issue with my kerberos implementation. I've already setup my kdc and i'm able to kinit and klist my tickets. The only problem left is that i'm unable to execute kadmin in remote client. Whenever i try to do that the following errors popped up. kadmin: GSS-API (or Kerberos) error while initializing kadmin interface I'm actually connecting from my client pc bar.intra.foobar.com to foo.intra.foobar.com(kdc) my current krb5.conf is [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = INTRA.FOOBAR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] INTRA.FOOBAR.COM = { kdc = kerberos1.intra.foobar.com:88 admin_server = kerberos1.intra.foobar.com:749 default_domain = intra.foobar.com } [domain_realm] .intra.foobar.com = INTRA.FOOBAR.COM intra.foobar.com = INTRA.FOOBAR.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } *** NOTE *** kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com my current kadm5.keytab is slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 8 kadmin/admin@INTRA.FOOB...

kerberos (SEAM) kadmin will not start
Solaris 9, core + packages + fully patched; Posted this on comp.unix.solaris also: After a lot of googling I am surprised to find little mention of this problem. I have all my kerberos working fine on a Solaris 9 except for getting kadmind to run. It will fail to initialize the gss-api and a apptrace of that shows that it cannot start a RPC. some message boards have identified the cause as not having /var/krb5/rcache/root directory. I have that. some say I must have the wrong REALM identity in my kdc.conf or krb5.conf. I don't think that's the case because every other facet of kerberos works. I get good logins using kerberos passwords and the krb5tgt is refreshed and shows the updated start and exprie dates and shows the date that I can refresh tgt tickets util. I checked the RPC ports (/etc/services), I did a rpcinfo -p hostname and all loooks to be well there. the gssd rpc is 100234 but gssd is not running. "don't know if it should be running or is it called by the RPC". not much useful info in the /var/krb5/kadmin.log, just repeats the same failure. I also notice that many of the message boards have this question as unanswered. Many of these are old posts from years ago. I saw one post where the SA was using Solaris 10 and he only had to clear the maintenance state to get GSSAPI initialized. Any takers? I have beat my feeble brain to death on this one. more info; Well it wasn't the gssd I started that to test and still get the GSSAPI initializ...

Show all principals with a specific policy in kadmin
Is there a magic command or combination of commands in kadmin to show all principals with a specific policy? So far I haven't been able to find it. TIA. -- Leonard J. Peirce Email: leonard.peirce@wmich.edu Senior UNIX System Administrator Western Michigan University Office of Information Technology Kalamazoo, MI 49008 Phone: (269) 387-5430 ...

add principal to kerberos with ldap backend
Hi everyone, sorry if mu question is dump, but I can't find answer in documentation. I setup and running MIT Kerberos 1.6 with LDAP backend and can add principals with kadmin tool. Now I need a solution (if it's possible) to add principal directly to LDAP, but can't find info how to create ldif file, especially for values of krbPrincipalKey and krbExtraData. Is anyone know how these fields are constructed ? -- Nikolai Tenev Hosting Systems Support Engineer Orbitel EAD - office Sofia tel: +359 2 4004808 fax: +359 2 4004744 --------------------------------- Orbitel - Next Generation Telecom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>> On Tue, May 15, 2007 at 2:48 PM, in message <200705151218.29970.ntenev@orbitel.bg>, Nikolai Tenev <ntenev@orbitel.bg> wrote: > Hi everyone, > sorry if mu question is dump, but I can't find answer in documentation. I > setup and running MIT Kerberos 1.6 with LDAP backend and can add principals > with kadmin tool. Now I need a solution (if it's possible) to add principal > directly to LDAP, but can't find info how to create ldif file, especially > for > values of krbPrincipalKey and krbExtraData. Is anyone know how these fields > are constructed ? > It is not possible to add the krbPrincipalKey attribute through a LDIF file. The format of the valu...

replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Hi all Since we are migrating from Debian to RedHat, we are considering replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT Kerberos server (again with LDAP back-end) since RedHat packages are only available for MIT Kerberos. In order to make this migration/upgrade as transparent as possible for our users, we want to convert all the necessary info in the Heimdal back-end to the MIT back-end. Are there any pointers available for this kind of operation? E.g. things like conversion tables mapping the corresponding Kerberos-specific LDAP attributes? Or even scripts? I'm especially looking at the Kerberos key attributes, i.e. - Heimdal: krb5Key - MIT: krbPrincipalKey Is it possible to convert the former into the latter? Is there any code available for this operation? If not, we would have to require all our users to change their passwords at the same time, which is not very feasible. Thanks in advance Bart ...

kadmin: GSS-API (or Kerberos) error #2
Hi Guys, This is my first email to this mailing list. I've encountered some issue with my kerberos implementation. I've already setup my kdc and i'm able to kinit and klist my tickets. The only problem left is that i'm unable to execute kadmin in remote client. Whenever i try to do that the following errors popped up. kadmin: GSS-API (or Kerberos) error while initializing kadmin interface I'm actually connecting from my client pc bar.intra.foobar.com to foo.intra.foobar.com(kdc) my current krb5.conf is [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = INTRA.FOOBAR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] INTRA.FOOBAR.COM = { kdc = kerberos1.intra.foobar.com:88 admin_server = kerberos1.intra.foobar.com:749 default_domain = intra.foobar.com } [domain_realm] .intra.foobar.com = INTRA.FOOBAR.COM intra.foobar.com = INTRA.FOOBAR.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } *** NOTE *** kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com my current kadm5.keytab is slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 8 kadmin/admin@INTRA.FOOB...

Creating a Kerberos user principal using LDAP
Given a KDC using the LDAP backend, has anyone created a stand alone tool to create user principals by directly adding a LDAP entry? Apparently the difficultly is correctly creating the ASN.1 encoded key attribute (krbPrincipalkey) which is harder still because of the need to encrypt it using the master key (krbMKey). In the LDAP world, it isn't unusual that the password attribute value is generated with a special tool (unless the plaintext password is used). I think two tools would be interesting. 1. A tool that only spits out the krbPrincipalkey attribute on STDOUT. 2. A tool that creates the whole user principal including the krbPrincipalkey. More specifically, I would like some perl or python code that I include in a larger project. If either tools has not been created, there is code from the FreeIPA project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that fetches the master key and properly create the ASN.1 encoded key. That code could be used as a starting point or inspiration. Dax Kelson Guru Labs Dax Kelson wrote: > If either tools has not been created, there is code from the FreeIPA > project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that > fetches the master key and properly create the ASN.1 encoded key. That > code could be used as a starting point or inspiration. Security wise catching the modify password extended operation at the LDAP server's side is IMHO the right thing to do. FreeIPA does that for Fedor...

GSS-API (or Kerberos) error while initializing kadmin interface
I am seeing the below error while connecting to KDC from remote client. Did any one experience this error and resolve ? [root@blr11~]# kadmin Authenticating as principal root/admin@IPS.COM with password. Password for root/admin@IPS.COM: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface [root@blr11~]# On Tuesday, 17 December 2013 10:35:19 UTC, Suresh Tirumalasetti wrote: > I am seeing the below error while connecting to KDC from remote client. > > > > Did any one experience this error and resolve ? > > > > [root@blr11~]# kadmin > > Authenticating as principal root/admin@IPS.COM with password. > > Password for root/admin@IPS.COM: > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface > > [root@blr11~]# the following correctly identified the issue for me http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml .... out of sync clocks. ...

Client not found in Kerberos database while initializing kadmin interface
I get this from typing 'kadmin' on the commandline of the KDC server itself. I have my own account on there which I can log into from gkadmin. Regards, Jason. -------------------------- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos Principals
i'm replacing the NIS with LDAP and Kerberos, the question is , is there any way to automate the creation of the principals? do i have to add a pricipal for each user in my current system or there is a tool (like ldap migration) that can do that? thanks a lot Amir Saad Software Engineer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On Wed, 2005-12-21 at 14:38 +0200, Amir Saad wrote: > i'm replacing the NIS with LDAP and Kerberos, the question is , is there any way to automate the creation of the principals? do i have to add a pricipal for each user in my current system or there is a tool (like ldap migration) that can do that? Is any tool other than kadmin needed? I don't know about your specific situtation, but I'd do it with a shell command, like this: ypcat passwd | while IFS=: read name rest; do password=$(dd if=/dev/random bs=3 count=2 2>/dev/null | encode-base64) kadmin -c "$KRB5CCNAME" -q "ank -pw $password $name" echo "$name $password" >>/tmp/newpasswords done That requires your ccache to have a valid kadmin service ticket, though. Get it with a command like "kinit -S kadmin/admin yourname/admin". It also requires a base64 encoding program. The one I used comes from Perl's MIME-Base64 module. I don't know if there might be anything wrong with this way of doing it, but in that cas...

kerberos and LDAP.
hi :), Can someone list me the kerberos servers that store the principal information in the directory. we want to integrate the user info in ldap with the authentication info of kerberos. Is there any kerberos server and ldap server with this kind of a support? thanks you in advance. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >...

Kerberos and LDAP
Hi, Im still trying to get this to work. Server: Debian Etch (3 hostnames=lookout, ldap and kerberos, ip=192.168.212.15) Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93) I have followed the following guides: http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/ldap.html Created my own user "ronni" the same way as the user "mirko" is. >From my workstation I can do: kinit ronni ldapsearch -x which both work. ldapsearch -x gives this output: # extended LDIF # # LDAPv3 # base <dc=one,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # one.com dn: dc=one,dc=com objectClass: top objectClass: dcObject objectClass: organization o: one.com dc: one # admin, one.com dn: cn=admin,dc=one,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # People, one.com dn: ou=People,dc=one,dc=com ou: People objectClass: organizationalUnit # Group, one.com dn: ou=Group,dc=one,dc=com ou: Group objectClass: organizationalUnit # ronni, group, one.com dn: cn=ronni,ou=group,dc=one,dc=com cn: ronni gidNumber: 20000 objectClass: top objectClass: posixGroup # ronni, people, one.com dn: uid=ronni,ou=people,dc=one,dc=com uid: ronni uidNumber: 20000 gidNumber: 20000 cn: Ronni sn: Ronni objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /...

KERBEROS with LDAP
Hi all, I'm experiencing some problem between authentication and authorization through Kerberos and LDAP. This is my situation: I can authenticate on LDAP through the option -Y GSSAPI after having obtained a valid TGT from the KDC. I have some questions: Is it possible to authenticate via Kerberos on LDAP without obtaining prior a ticket (i.e. when i have to authenticate to the LDAP i want that username/password was asked and then these username/password allow to obtain the ticket from Kerberos). I'm asking this because i want that this new mechanism be invisible from a user point of view. Are there some solution to this problem or I need to implement by myself a customized client that communicate with kerberos and then with the ticket to LDAP^??? Another question is about how to map authentication to authorization in LDAP. The example found was very simple with a flat LDAP, I'm in an hard situation, with an extremely non-regular LDAP tree, how to find the correct mapping to the correct identity??? Thanks in advance, Andrea ...

Regarding IBM's release of kadmin GUI for Kerberos
Hi , I just noticed that IBM has released an kadmin GUI for Kerberos ( based on latest Eclipse , SWT framework) in its alphawork offering ( looks free for usage) and it seems to work with MIT KDC server as well. I like the SWT way as it gives me the look n feel of my OS. URL: *http://www.alphaworks.ibm.com/tech/nasgui * Thanks Shraddha Karwan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Renaming a Kerberos realm (all principal info stored in LDAP DIT)
--9amGYk9869ThD9tj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi, I would like to know whether it's possible to rename a Kerberos realm when all Kerberos related info is stored in an LDAP DIT (OpenLDAP and MIT Kerberos running an Debian Lenny AMD64)? Reason for this is that I will move my KDC to a new internal subnet (having a new internal DNS domain) and I would like my Kerberos realm to be "in sync" with the new DNS domain name. The Kerberos related info is stored in an "ou" (organizationUnit) subtree named "krb5" (initially populated with kdb5_ldap_util). Is it "safe" to - shutdown both KDC and kadmin server /etc/init.d/krb5-kdc stop /etc/init.d/krb5-admin-server stop - shutdown OpenLDAP (/etc/init.d/slapd stop) - dump the DIT (slpcat -l <file_name>) - open DIT file in editor and change all occurrences from MY.OLD.REALM to MY.NEW.REALM - modify the realm name in /etc/krb5.conf and /etc/krb5kdc/kdc.conf accordingly - delete old LDAP databases - start OpenLDAP in order to obtain a fresh database (/etc/init.d/slapd start) - shutdown OpenLDAP again (/etc/init.d/slapd stop) - add DIT again (slapadd -l <file_name>) - restart OpenLDAP (/etc/init.d/slapd start) or did I forget any relevant step(s)/substep(s)? Thanks in advance for sharing your thoughts & kind regards, Holger --9amGYk9869ThD9tj Content-Type: application/pgp-signature; name="signature.asc" Content...

Web resources about - Kerberos+LDAP: kadmin.local and kadmin show different principals - comp.protocols.kerberos

Resources last updated: 3/10/2016 9:34:39 PM