Re: create principals fails

Yes, of course.
But i think, i have to offer you some further information.

the kerberos authentication works befor i wanted openldap as back-end. then i wanted to switch to openldap-backend without setting up a clear system...
....
the subtree is ok. <-- in the DIT.
the conf-files are ok. i hope so!
slapd.conf modified for kerberos. i think this is not the problem, too.
stashpw generated. <-- file is there with both pws.

-no service is started-

Now i want to create with the command
kadmin.local
a root-user.
But it fails with
Authenticating as principal root/admin@LOCAL with password.
kadmin.local: Server error while initializing kadmin.local interface
when i now switch the krb5.conf to the old one i can start kadmin.local and i can start the services. but when i try now to start kadmin interface is there no root(admin)-user in the dit with which i can authenticate.
i don´t know, what the problem could be...:(

-------- Original-Nachricht --------
Datum: Mon, 23 Nov 2009 14:20:24 +0100
Von: "kai plückhahn" <derplueck@xxxxxx>
An: kerberos@xxxxxxx
Betreff: create principals fails

i often read this question. but never seen an answer.
i want to have openldap as a backend to kerberos.
- kerberos 5
- openldap 2.4

i could create the subtree in the dit. But when i try to create principals
with kadmin, it fails.
My first step was, that i created the conf files...kdc.conf and
krb5.conf.After this i created with the kdb5_ldap_util the subtree and the stash-pws.
But then...to create principals with kadmin or kadmin.local fails.
In my book there is a note, that i have to create first of all a local
database with kdb5_util create -s to use the kadmin.local interface without
problems...

How a have to create the principals, is there a trick?

I don´t know. Please help me.
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

--
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
.

Relevant Pages

  • Re: Samba authentication to Kerberos via OpenLDAP, third and last try
    ... what you're looking for is SASL authd support in OpenLDAP. ... Assuming you've built OpenLDAP with the --with-spasswd option, ... This is all OpenLDAP and SASL, though, not Kerberos. ... I know I can do Kerberos authentication directly from Samba, ...
    (comp.protocols.kerberos)
  • Setting up Kerberos, Cyrus-SASL, OpenLDAP
    ... I'm trying to move my home lan to network authentication. ... I should configure and bring up Kerberos, then Cyrus-SASL, then ... OpenLDAP, since each will depend on the one before. ... only a test account be loaded in under Kerberos, and real accounts ...
    (comp.os.linux.security)
  • Re: Linux Login Failure
    ... figured out detail, clearly, with "kerberos client" ... /bin/login uses pam_krb5 for authentication ... if principals use the same key as 'host' of master ...
    (comp.protocols.kerberos)
  • Re: Linux Login Failure
    ... figured out detail, clearly, with "kerberos client" ... /bin/login uses pam_krb5 for authentication ... if principals use the same key as 'host' of master ...
    (comp.protocols.kerberos)
  • Re: OpenLDAP + Kerberos +smbldap-tools
    ... openldap doesn't support kerberos authentication natively, ... with SASL instead which supports the GSSAPI method which supports Kerberos 5. ... So then if you have a valid Kerberos ticket and you have SASL with GSSAPI ...
    (comp.protocols.kerberos)