Skip Menu |
 

Download (untitled) / with headers
text/plain 8.7KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Wed May 8 14:33:18 2013
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 0DEFE58F16;
Wed, 8 May 2013 14:33:18 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r48IXF2C017336;
Wed, 8 May 2013 14:33:15 -0400
Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r48FM6SW023358
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 8 May 2013 11:22:06 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id r48FHeAe005477
for <krb5-bugs@mit.edu>; Wed, 8 May 2013 11:22:06 -0400
X-AuditID: 12074424-b7f8c6d0000028c4-0d-518a6d9dab31
Authentication-Results: symauth.service.identifier
Received: from mail-da0-f46.google.com (mail-da0-f46.google.com
[209.85.210.46])
by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP
id 82.79.10436.D9D6A815; Wed, 8 May 2013 11:22:05 -0400 (EDT)
Received: by mail-da0-f46.google.com with SMTP id e20so1036488dak.33
for <krb5-bugs@mit.edu>; Wed, 08 May 2013 08:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:x-received:date:message-id:subject:from:to
:content-type; bh=kn/KKRCKjK14i9RcmZZpB5KFQEO4Q3jsaTZZneGsY0Q=;
b=VKA6FKnzIqn9qykStqHDbcsdbk7EJu/gLOIV3JlyLNouYSuY1e8yPg7qARGzBOKdY4
305RZd8K8X96csRv2UoPhXzid7qW81/CFf1HFbZLHjKkJAtFbUzxc+qhWwZRUMfLmCgV
YJDTDDmBFX7XSYts+IcM88bDhjCwuTTpTyR1GxQwMEWhFXUyjK7/e7iAtJqDt3hwIvQa
vZO+81SL3rhOXvw4D+lQBAuxEV/+ocRfmibBym9ZGVDKLlHiMIIRRQbOQAH2B22JenTe
AroEdmH2bvPYy35egcE9HE4kxELGyM6fPSQ6Xn47Y0BaZ25ha6lS52V7Ecyec+7/Z7Tk
jHSg==
MIME-Version: 1.0
X-Received: by 10.68.88.194 with SMTP id bi2mr8013111pbb.12.1368026525097;
Wed, 08 May 2013 08:22:05 -0700 (PDT)
Received: by 10.66.150.163 with HTTP; Wed, 8 May 2013 08:22:04 -0700 (PDT)
Date: Wed, 8 May 2013 17:22:04 +0200
Message-ID: <CACDPosJF_s=kp7yWSVXYmrv+Us1h+K3ScNVYU+625E2uKZ7tgQ@mail.gmail.com>
Subject: Bind DN entry missing in stash file
From: Augustin Wolf <augustynwilk@gmail.com>
To: krb5-bugs@mit.edu
Content-Type: multipart/mixed; boundary=047d7b673c7a126dfd04dc367fa5
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrDKsWRWlGSWpSXmKPExsVyMfSSnu7c3K5Ag+dLjC0aHh5nd2D0aDpz
lDmAMYrLJiU1J7MstUjfLoEr48OtZSwFTVoVly91szYwvlHrYuTkkBAwkbhzfh4jiM0oYCSx
+9wrVoi4mMSFe+vZuhi5OIQEbjJKdC6fwgTh9DBK7OlYyQ5SxSLQwSqx6r4GiM0rIChxcuYT
li5GDqDuIonz94RAwkICXhKzVv1hgihXkTg59RA7RHmAxJ3Lp8GWCQvoSPxcdI0FxGYDsvcf
nQJWLyIgKvHy7zGwOLOAi0TP1bVsExj5ZyHZNgtJCsLWkXjX94AZwjaXOLh6IlSNicStgy+g
bEWJKd0P2WeB/Skj0fL/DiNE3ELide8P1llAHzALmEqs+VCOTfnmnWeYFjByr2KUTcmt0s1N
zMwpTk3WLU5OzMtLLdI118vNLNFLTSndxAiMHCF2F5UdjM2HlA4xCnAwKvHwZiR2BQqxJpYV
V+YeYpTkYFIS5W3NAgrxJeWnVGYkFmfEF5XmpBYfYlQB2vtow+oLjFIsefl5qUoivPdSgOp4
UxIrq1KL8mHKpDlYlMR5r6fc9BcSSE8sSc1OTS1ILYLJMnGwH2KU4eBQkuBdnwPULViUmp5a
kZaZU4KshhNEcB1ilODgAVqzBaSQt7ggMbc4Mx2i6BSjMcfVbU9eM3Ls2PziNaMQ2EVS4rx7
QEoFQEozSvPgRsIS5SVGWSlhXkYGBgYhHqCbgMGCKv+KURwYJMK8v0Cm8GTmlcDtewV0ChPQ
KQl87SCnlCQipKQaGFlKToYd0lz3/V3Jkmphrbefp1z7u9stfelaluUnVdzq23h3Gio7BF24
/HnGtEN5t1wXHs8W0fBRXrp5sS3nN2XhbCsFhpsXdUIOfIvq/iwlJN+px/Az6OensJfCmy81
1N0+FXjQ2WBRwbxdt448PjC5yC3+sXHPI5GJ4roMcjzLNxQ4rlc7nq7EUpyRaKjFXFScCAA+
tSF1jwMAAA==
X-Mailman-Approved-At: Wed, 08 May 2013 14:33:10 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu

--047d7b673c7a126dfd04dc367fa5
Content-Type: text/plain; charset=ISO-8859-1

Show quoted text
>Submitter-Id: vokankh.net
>Originator: root
>Organization:
Student
Show quoted text
>Confidential: no
>Synopsis: krb5kdc won't start
>Severity: serious
>Priority: high
>Category: krb5kdc
>Class: support
>Release: 1.10.3
>Environment:
System: Linux virtual.vokankh.net 2.6.32-279.el6.x86_64 #1 SMP Fri Jun
22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64, on VirtualBox 4.1.18

Show quoted text
>Description:
While trying to start krb5kdc I got error:Starting Kerberos 5
KDC: krb5kdc: cannot initialize realm VOKANKH.NET - see log file for
details,
In log file ther's single line:
"""krb5kdc: Error reading password from stash: Bind DN entry missing
in stash file - while initializing database for realm VOKANKH.NET"""
the realm was created with:
"""kdb5_ldap_util -D "cn=krbadmin,ou=Services,dc=vokankh,dc=net"
create -sscope SUB -r VOKANKH.NET -sf
/var/kerberos/krb5kdc/vokankh_stash.keyfile -s"""
The stashfile exists. After recreating stash file with:
"""kdb5_ldap_util -D "cn=admin,dc=vokankh,dc=net" stashsrvpw -f
/var/kerberos/krb5kdc/vokankh_stash.keyfile
"cn=krbadmin,ou=Services,dc=vokankh,dc=net" """
problem persists.
Show quoted text
>How-To-Repeat:
on Centos 6.3 install:krb5-server krb5-libs krb5-auth-dialog
krb5-server-ldap krb5-devel
prepare "krb5.conf", as in attachment, prepare "kdc.conf" as in attchement
start krb5kdc with /etc/init.d/krb5kdc start
Show quoted text
>Fix:
Please add to documentation possible bugs fix.

--047d7b673c7a126dfd04dc367fa5
Content-Type: application/octet-stream; name="kdc.conf"
Content-Disposition: attachment; filename="kdc.conf"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hggnm0p30

W2tkY2RlZmF1bHRzXQoga2RjX3BvcnRzID0gODgKIGtkY190Y3BfcG9ydHMgPSA4OAoKW3JlYWxt
c10KIEVYQU1QTEUuQ09NID0gewogICNtYXN0ZXJfa2V5X3R5cGUgPSBhZXMyNTYtY3RzCiAgYWNs
X2ZpbGUgPSAvdmFyL2tlcmJlcm9zL2tyYjVrZGMva2FkbTUuYWNsCiAgZGljdF9maWxlID0gL3Vz
ci9zaGFyZS9kaWN0L3dvcmRzCiAgYWRtaW5fa2V5dGFiID0gL3Zhci9rZXJiZXJvcy9rcmI1a2Rj
L2thZG01LmtleXRhYgogIHN1cHBvcnRlZF9lbmN0eXBlcyA9IGFlczI1Ni1jdHM6bm9ybWFsIGFl
czEyOC1jdHM6bm9ybWFsIGRlczMtaG1hYy1zaGExOm5vcm1hbCBhcmNmb3VyLWhtYWM6bm9ybWFs
IGRlcy1obWFjLXNoYTE6bm9ybWFsIGRlcy1jYmMtbWQ1Om5vcm1hbCBkZXMtY2JjLWNyYzpub3Jt
YWwKIH0KClZPS0FOS0guTkVUID0gewogICNtYXN0ZXJfa2V5X3R5cGUgPSBhZXMyNTYtY3RzCiAg
bGRhcF9rZGNfZG4gPSBjbj1rZXJiZXJvcyxvdT1TZXJ2aWNlcyxkYz12b2thbmtoLGRjPW5ldAog
IGxkYXBfa2FkbWluZF9kbiA9IGNuPWtyYmFkbWluLG91PVNlcnZpY2VzLGRjPXZva2Fua2gsZGM9
bmV0CiAgYWNsX2ZpbGUgPSAvdmFyL2tlcmJlcm9zL2tyYjVrZGMvdm9rYW5raC5hY2wKICBkaWN0
X2ZpbGUgPSAvdXNyL3NoYXJlL2RpY3Qvd29yZHMKICBhZG1pbl9rZXl0YWIgPSAvdmFyL2tlcmJl
cm9zL2tyYjVrZGMvdm9rYW5raC5rZXl0YWIKICBzdXBwb3J0ZWRfZW5jdHlwZXMgPSBhZXMyNTYt
Y3RzOm5vcm1hbCBhZXMxMjgtY3RzOm5vcm1hbCBkZXMzLWhtYWMtc2hhMTpub3JtYWwgYXJjZm91
ci1obWFjOm5vcm1hbCBkZXMtaG1hYy1zaGExOm5vcm1hbCBkZXMtY2JjLW1kNTpub3JtYWwgZGVz
LWNiYy1jcmM6bm9ybWFsCn0K
--047d7b673c7a126dfd04dc367fa5
Content-Type: application/octet-stream; name="krb5.conf"
Content-Disposition: attachment; filename="krb5.conf"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hggnm0q91

W2xvZ2dpbmddCiBkZWZhdWx0ID0gRklMRTovdmFyL2xvZy9rcmI1bGlicy5sb2cKIGtkYyA9IEZJ
TEU6L3Zhci9sb2cva3JiNWtkYy5sb2cKIGFkbWluX3NlcnZlciA9IEZJTEU6L3Zhci9sb2cva2Fk
bWluZC5sb2cKCltsaWJkZWZhdWx0c10KIGRlZmF1bHRfcmVhbG0gPSBWT0tBTktILk5FVAogZG5z
X2xvb2t1cF9yZWFsbSA9IGZhbHNlCiBkbnNfbG9va3VwX2tkYyA9IGZhbHNlCiB0aWNrZXRfbGlm
ZXRpbWUgPSAyNGgKIHJlbmV3X2xpZmV0aW1lID0gN2QKIGZvcndhcmRhYmxlID0gdHJ1ZQoKW3Jl
YWxtc10KICBFWEFNUExFLkNPTSA9IHsKICBrZGMgPSBrZXJiZXJvcy5leGFtcGxlLmNvbQogIGFk
bWluX3NlcnZlciA9IGtlcmJlcm9zLmV4YW1wbGUuY29tCiB9CgogVk9LQU5LSC5ORVQgPSB7CiAg
a2RjID0gdmlydHVhbC52b2thbmtoLm5ldAogIG1hc3Rlcl9rZGMgPSB2aXJ0dWFsLnZva2Fua2gu
bmV0CiAgYWRtaW5fc2VydmVyID0gdmlydHVhbC52b2thbmtoLm5ldAogIGRlZmF1bHRfZG9tYWlu
ID0gdm9rYW5raC5uZXQKICBkYXRhYmFzZV9tb2R1bGUgPSBsZGFwX3Zva2Fua2gKIH0KCltkb21h
aW5fcmVhbG1dCiAuZXhhbXBsZS5jb20gPSBFWEFNUExFLkNPTQogZXhhbXBsZS5jb20gPSBFWEFN
UExFLkNPTQogdm9rYW5raC5uZXQgPSBWT0tBTktILk5FVAogLnZva2Fua2gubmV0ID0gVk9LQU5L
SC5ORVQKIHZpcnR1YWwudm9rYW5raC5uZXQgPSBWT0tBTktILk5FVAogLnZpcnR1YWwudm9rYW5r
aC5uZXQgPSBWT0tBTktILk5FVAoKW2FwcGRlZmF1bHRzXQpwYW0gPSB7CiAgZGVidWcgPSB0cnVl
CiAgdGlja2V0X2xpZmV0aW1lID0gMzYwMDAKICByZW5ld19saWZldGltZSA9IDM2MDAwCiAgZm9y
d2FyZGFibGUgPSB0cnVlCiAga3JiNF9jb252ZXJ0ID0gZmFsc2UKfQoKW2RibW9kdWxlc10KIGxk
YXBfdm9rYW5raCA9IHsKICBkYl9saWJyYXJ5ID0ga2xkYXAKIyMgRE4gZm9yIHRoZSBnbG9iYWwg
S2VyYmVyb3MgY29udGFpbmVyIGVudHJ5IAogIGxkYXBfa2VyYmVyb3NfY29udGFpbmVyX2RuID0g
b3U9a2VyYmVyb3Msb3U9U2VydmljZXMsZGM9dm9rYW5raCxkYz1uZXQKICBsZGFwX2tkY19kbiA9
IGNuPWtyYmFkbWluLG91PVNlcnZpY2VzLGRjPXZva2Fua2gsZGM9bmV0IAkjIyB0aGlzIG9iamVj
dCBuZWVkcyB0byBoYXZlIFJFQUQgcmlnaHRzIG9uIHRoZSByZWFsbSBjb250YWluZXIsIHByaW5j
aXBhbCBjb250YWluZXIgYW5kIHJlYWxtIHN1Yi10cmVlcwogIGxkYXBfa2FkbWluZF9kbiA9ICJj
bj1rcmJhZG1pbixvdT1TZXJ2aWNlcyxkYz12b2thbmtoLGRjPW5ldCIgIyMgdGhpcyBvYmplY3Qg
bmVlZHMgdG8gaGF2ZSBSRUFEIGFuZCBXUklURSByaWdodHMgb24gdGhlIHJlYWxtIGNvbnRhaW5l
ciwgcHJpbmNpcGFsIGNvbnRhaW5lciBhbmQgcmVhbG0gc3ViLXRyZWVzCiAgbGRhcF9zZXJ2aWNl
X3Bhc3N3b3JkX2ZpbGUgPSAvdmFyL2tlcmJlcm9zL2tyYjVrZGMvdm9rYW5raF9zdGFzaC5rZXlm
aWxlCiAgbGRhcF9zZXJ2ZXJzID0gbGRhcDovL3ZpcnR1YWwudm9rYW5raC5uZXQKICBsZGFwX2Nv
bm5zX3Blcl9zZXJ2ZXIgPSA1Cn0K
--047d7b673c7a126dfd04dc367fa5--
The krb5 config file format does not support inline comments, like you
have in the ldap_kdc_dn and ldap_kadmind_dn entries. Get rid of those
comments and see if things work.

It's probably better to send mail to kerberos@mit.edu than to file a bug
report in situations like this, where the problem is more likely to be a
misconfiguration than a bug.
From: ghudson@mit.edu
Subject: git commit

Improve LDAP password file error messages

If we cannot open the LDAP password file or cannot find the bind DN in
it, include the filename and DN in the error message.

https://github.com/krb5/krb5/commit/0a4b14260ca6a99b91558bb9fd8ecea32004a5c8
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0a4b14260ca6a99b91558bb9fd8ecea32004a5c8
Branch: master
.../kdb/ldap/libkdb_ldap/ldap_service_stash.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
Date: Wed, 8 May 2013 23:22:58 +0200
Subject: Re: [krbdev.mit.edu #7632] krb5kdc won't start
From: Augustin Wolf <augustynwilk@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Hi Greg,
Thanks for replay.
Removing comments from config file didn't help. I did try to
recreate(destroy, and create again) realm. The error in logs is the
same. How can I turn on more precise debug messages?

Sorry for the trouble, I didn't found any bug tracker/issue tracker
for kerberos. I would love to ask in official forum, or mailing list
If I could find one. I did with http://serverfault.com/ in a first
place. No luck though.
This mail I found in doc pages. If it's too much trouble and we cannot
continue with this issue, I will try with email you provided me with
and reopen it if it is confirmed bug.
Looking forward hearing from you,
Augustyn

On 8 May 2013 21:13, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> The krb5 config file format does not support inline comments, like you
> have in the ldap_kdc_dn and ldap_kadmind_dn entries. Get rid of those
> comments and see if things work.
>
> It's probably better to send mail to kerberos@mit.edu than to file a bug
> report in situations like this, where the problem is more likely to be a
> misconfiguration than a bug.
Date: Wed, 8 May 2013 23:22:58 +0200
Subject: Re: [krbdev.mit.edu #7632] krb5kdc won't start
From: Augustin Wolf <augustynwilk@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Hi Greg,
Thanks for replay.
Removing comments from config file didn't help. I did try to
recreate(destroy, and create again) realm. The error in logs is the
same. How can I turn on more precise debug messages?

Sorry for the trouble, I didn't found any bug tracker/issue tracker
for kerberos. I would love to ask in official forum, or mailing list
If I could find one. I did with http://serverfault.com/ in a first
place. No luck though.
This mail I found in doc pages. If it's too much trouble and we cannot
continue with this issue, I will try with email you provided me with
and reopen it if it is confirmed bug.
Looking forward hearing from you,
Augustyn

On 8 May 2013 21:13, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> The krb5 config file format does not support inline comments, like you
> have in the ldap_kdc_dn and ldap_kadmind_dn entries. Get rid of those
> comments and see if things work.
>
> It's probably better to send mail to kerberos@mit.edu than to file a bug
> report in situations like this, where the problem is more likely to be a
> misconfiguration than a bug.
The only other thing I can suggest is to look at your LDAP password file
in an editor, and make sure it contains only plain-text lines like:

cn=krbadmin,ou=Services,dc=vokankh,dc=net#{HEX}hexdigits

If there is any binary data in there, you may have accidentally placed the
contents of a master key stash file there, in which case you should remove
the file and start over while making sure to keep the master key stash
file separate from the LDAP password file.

If that doesn't work, please pursue the matter via kerberos@mit.edu, which
has a wider audience, rather than continuing through the bug tracker.
Date: Fri, 10 May 2013 17:06:36 +0200
Subject: Re: [krbdev.mit.edu #7632] LDAP password file errors not helpful enough
From: Augustin Wolf <augustynwilk@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.4KiB
Thank you Greg for support, you point me out to solution.
I was creating and destroying realm several times, and I'm sure I did
remove stash file before recreating it with:
kdb5_ldap_util -D "cn=admin,dc=vokankh,dc=net" stashsrvpw -f
/var/kerberos/krb5kdc/vokankh_stash.keyfile
"cn=krbadmin,ou=Services,dc=vokankh,dc=net"
(I even have an backup of original, so I had to remove)
Nevertheless I removed stash file created with realm, and recreated it
with command mentioned above. And it has required DN.
I noticed somewhere that above command will skip creating stash if the
file already exists, and exit without appropriate message. Why add a
functionality that will create stash file (along with realm) that
isn't useful for anything? Isn't it a bug?
Again thank you for help,
Best regards,
Augustyn

On 9 May 2013 18:03, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> The only other thing I can suggest is to look at your LDAP password file
> in an editor, and make sure it contains only plain-text lines like:
>
> cn=krbadmin,ou=Services,dc=vokankh,dc=net#{HEX}hexdigits
>
> If there is any binary data in there, you may have accidentally placed the
> contents of a master key stash file there, in which case you should remove
> the file and start over while making sure to keep the master key stash
> file separate from the LDAP password file.
>
> If that doesn't work, please pursue the matter via kerberos@mit.edu, which
> has a wider audience, rather than continuing through the bug tracker.
Date: Fri, 10 May 2013 17:06:36 +0200
Subject: Re: [krbdev.mit.edu #7632] LDAP password file errors not helpful enough
From: Augustin Wolf <augustynwilk@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.4KiB
Thank you Greg for support, you point me out to solution.
I was creating and destroying realm several times, and I'm sure I did
remove stash file before recreating it with:
kdb5_ldap_util -D "cn=admin,dc=vokankh,dc=net" stashsrvpw -f
/var/kerberos/krb5kdc/vokankh_stash.keyfile
"cn=krbadmin,ou=Services,dc=vokankh,dc=net"
(I even have an backup of original, so I had to remove)
Nevertheless I removed stash file created with realm, and recreated it
with command mentioned above. And it has required DN.
I noticed somewhere that above command will skip creating stash if the
file already exists, and exit without appropriate message. Why add a
functionality that will create stash file (along with realm) that
isn't useful for anything? Isn't it a bug?
Again thank you for help,
Best regards,
Augustyn

On 9 May 2013 18:03, Greg Hudson via RT <rt-comment@krbdev.mit.edu> wrote:
Show quoted text
> The only other thing I can suggest is to look at your LDAP password file
> in an editor, and make sure it contains only plain-text lines like:
>
> cn=krbadmin,ou=Services,dc=vokankh,dc=net#{HEX}hexdigits
>
> If there is any binary data in there, you may have accidentally placed the
> contents of a master key stash file there, in which case you should remove
> the file and start over while making sure to keep the master key stash
> file separate from the LDAP password file.
>
> If that doesn't work, please pursue the matter via kerberos@mit.edu, which
> has a wider audience, rather than continuing through the bug tracker.