[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmind.acl failed after transferring principals to openldap

Jay,

i've been checking my old installations where I had this problem and the
error messages are as you described it.
Seems to be 2 Problems - one "simple" (and the major one)  was  that
kadmind was not able to verify the user because it did'nt find the
kadmin.acl file.
The other one (ldapsearch *no such object* ) .. -> check your sasl-regexp.

- can you do kadmin -l ?
- did you check the localmessages from your ldap server ?
- are the sasl-regexp correct ?

Here is what I have as sasl-regexp, than the error message (no such object)
should disappear.


#
sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth"
    "cn=kadmin/admin@REALM,ou=krb5accounts,dc=our,dc=domain,dc=com"


But as mentioned above, for this you have to check the localmessages .
(loglevel - sasl debug)

Regards
marco












                                                                           
             jay alvarez                                                   
             <kerber0sb0y@yaho                                             
             o.com>                                                     To 
             Sent by:                  Marco Hoehle <MHO@zurich.ibm.com>,  
             owner-heimdal-dis         heimdal-discuss@sics.se             
             cuss@sics.se                                               cc 
                                                                           
                                                                   Subject 
             01/09/2006 01:32          Re: kadmind.acl failed after        
             AM                        transferring principals to openldap 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Marco,

Marco Hoehle <MHO@zurich.ibm.com> wrote:
 So set
 database = {
 acl_file = /var/heimdal/kadmin.acl
 m_key = bla
 dbname = ldap:bla ...
 }


 and check if it is working than.

 Regards
 marco

I have this section in my krb5.conf (not kdc.conf??)

[kdc]
        database = {
        acl_file = /var/heimdal/kadmind.acl
        mkey_file = /var/heimdal/m-key
        dbname  = ldap:ou=krb5accounts,dc=our,dc=domain,dc=com
        require-preauth = true
        allow-anonymous = false
#       enable-http = false
        check-ticket-addresses = true
        allow-null-ticket-addresses = false
        allow-anonymous = false
        kdc_warn_pwexpire = 7 days
        logging = SYSLOG
}

I then restarted kdc and slapd processes and still it doesn't seem to
recognize my kadmind.acl. On kdc logs I can see these last 4 lines:

Jan  9 08:25:31 ldap kadmind[35519]: jay@OUR.REALM: LIST *
Jan  9 08:25:31 ldap kadmind[35519]: LIST: ldap_search_s: No such object
Jan  9 08:25:31 ldap kadmind[35519]: jay@OUR.REAL: GET *@OUR.REALM
Jan  9 08:25:31 ldap kadmind[35519]: GET: Operation requires `get'
privilege

Does the error has something to do with the second line "No such object"??
Any! more idea?

Thanks.




Yahoo! Photos
Ring in the New Year with Photo Calendars. Add photos, events, holidays,
whatever.