From: | Ken Raeburn <raeburn@MIT.EDU> |
To: | krb5-bugs@MIT.EDU |
Subject: | useless error message from krb5kdc |
Date: | Wed, 11 Mar 2009 17:38:13 -0400 |
A minor typo in a config file caused a useless error message to be
displayed.
It probably should've said something about not finding a definition
for the database module "opeldap_ldapconf".
Begin forwarded message:
displayed.
It probably should've said something about not finding a definition
for the database module "opeldap_ldapconf".
Begin forwarded message:
Show quoted text
> From: Mathew Rowley <mathew_rowley@cable.comcast.com>
> Date: March 11, 2009 14:39:14 EDT
> To: Mathew Rowley <mathew_rowley@cable.comcast.com>,
> "kerberos@mit.edu" <kerberos@mit.edu>
> Subject: Re: Forgetting something? krb5kdc: No such file or
> directory - whileinitializing database for realm COMCAST.COM
> X-Spam-Score: -0.963
>
> My problem was actually a typo. In my realm, I had:
>
> database_module = opeldap_ldapconf
>
> Which did not match ‘opeNldap_ldapconf’
>
> MAT
>
>
>
> On 3/11/09 9:15 AM, "Mathew Rowley"
> <mathew_rowley@cable.comcast.com> wrote:
>
> --
> MAT
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> Date: March 11, 2009 14:39:14 EDT
> To: Mathew Rowley <mathew_rowley@cable.comcast.com>,
> "kerberos@mit.edu" <kerberos@mit.edu>
> Subject: Re: Forgetting something? krb5kdc: No such file or
> directory - whileinitializing database for realm COMCAST.COM
> X-Spam-Score: -0.963
>
> My problem was actually a typo. In my realm, I had:
>
> database_module = opeldap_ldapconf
>
> Which did not match ‘opeNldap_ldapconf’
>
> MAT
>
>
>
> On 3/11/09 9:15 AM, "Mathew Rowley"
> <mathew_rowley@cable.comcast.com> wrote:
>
>> I am trying to start up a freshly installed/configured MIT kerberos
>> (1.6.1-31) implementation, but I am obviously missing something. I
>> am using
>> an LDAP backend, but the service will not start. Here is what I
>> have done,
>> can anyone see something I am missing? Or know of a way I can get
>> more
>> logging? Thanks.
>>
>> 1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm
>>
>> 2. Modified /etc/krb5.conf to include ldap information:
>> [dbdefaults]
>> ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
>> [dbmodules]
>> openldap_ldapconf = {
>> db_library = kldap
>> ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
>> ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
>> # this object needs to have read rights on
>> # the realm container, principal container and realm sub-trees
>> ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
>> # this object needs to have read and write rights on
>> # the realm container, principal container and realm sub-trees
>> ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile
>> ldap_servers = ldap://kdc01.security.lab.comcast.net
>> ldap_conns_per_server = 5
>> }
>>
>> 3. Created the ldap users (kadmin, kdc)
>>
>> 4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util
>> -H
>> ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -
>> subtrees
>> 'dc=comcast,dc=com' -r COMCAST.NET –s)
>>
>> 5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/
>> kdc5.keyfile
>> using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f
>> /var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com')
>>
>> 6. Modified ldap ACL as according to
>> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html
>> but with
>> my kadmin/kdc name and my dn
>> (using ldap 2.4.15 – with new cn=config)
>> olcAccess: to dn.base="" by * read
>> olcAccess: to dn.base="cn=Subschema" by * read
>> olcAccess: to attrs=userPassword,userPKCS12 by self write
>> by * read
>> olcAccess: to dn.subtree="dc=comcast,dc=com" by
>> dn.exact="cn=kdc,dc=comcast,dc=com" read
>> by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>> by * none
>> olcAccess: to
>> dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com"
>> by dn.exact="cn=kdc,dc=comcast,dc=com" read
>> by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>> by * none
>> olcAccess: to * by * read
>>
>> 7. Confirmed I can ldapsearch with kadmin and kdc ldap users
>>
>> 8. Tried to start krb5kdc - /etc/init.d/krb5kdc start:
>> [root@kdc01 krb5kdc]# /etc/init.d/krb5kdc start
>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm
>> COMCAST.COM - see
>> log file for details
>> [FAILED]
>> [root@kdc01 krb5kdc]# cat /var/log/krb5kdc.log
>> krb5kdc: No such file or directory - while initializing database
>> for realm
>> COMCAST.COM
>>
>> Any ideas? Thanks for any help.
>>
>> --
>> MAT
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>> (1.6.1-31) implementation, but I am obviously missing something. I
>> am using
>> an LDAP backend, but the service will not start. Here is what I
>> have done,
>> can anyone see something I am missing? Or know of a way I can get
>> more
>> logging? Thanks.
>>
>> 1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm
>>
>> 2. Modified /etc/krb5.conf to include ldap information:
>> [dbdefaults]
>> ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
>> [dbmodules]
>> openldap_ldapconf = {
>> db_library = kldap
>> ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
>> ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
>> # this object needs to have read rights on
>> # the realm container, principal container and realm sub-trees
>> ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
>> # this object needs to have read and write rights on
>> # the realm container, principal container and realm sub-trees
>> ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile
>> ldap_servers = ldap://kdc01.security.lab.comcast.net
>> ldap_conns_per_server = 5
>> }
>>
>> 3. Created the ldap users (kadmin, kdc)
>>
>> 4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util
>> -H
>> ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -
>> subtrees
>> 'dc=comcast,dc=com' -r COMCAST.NET –s)
>>
>> 5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/
>> kdc5.keyfile
>> using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f
>> /var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com')
>>
>> 6. Modified ldap ACL as according to
>> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html
>> but with
>> my kadmin/kdc name and my dn
>> (using ldap 2.4.15 – with new cn=config)
>> olcAccess: to dn.base="" by * read
>> olcAccess: to dn.base="cn=Subschema" by * read
>> olcAccess: to attrs=userPassword,userPKCS12 by self write
>> by * read
>> olcAccess: to dn.subtree="dc=comcast,dc=com" by
>> dn.exact="cn=kdc,dc=comcast,dc=com" read
>> by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>> by * none
>> olcAccess: to
>> dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com"
>> by dn.exact="cn=kdc,dc=comcast,dc=com" read
>> by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>> by * none
>> olcAccess: to * by * read
>>
>> 7. Confirmed I can ldapsearch with kadmin and kdc ldap users
>>
>> 8. Tried to start krb5kdc - /etc/init.d/krb5kdc start:
>> [root@kdc01 krb5kdc]# /etc/init.d/krb5kdc start
>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm
>> COMCAST.COM - see
>> log file for details
>> [FAILED]
>> [root@kdc01 krb5kdc]# cat /var/log/krb5kdc.log
>> krb5kdc: No such file or directory - while initializing database
>> for realm
>> COMCAST.COM
>>
>> Any ideas? Thanks for any help.
>>
>> --
>> MAT
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> --
> MAT
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos