[31174] in Kerberos
Kerberos with LDAP backend
daemon@ATHENA.MIT.EDU (Thomas Skora)
Sat May 23 15:28:57 2009
Message-ID: <6387.41.178.0.232.1243106883.squirrel@webmail.skora.net>
Date: Sat, 23 May 2009 19:28:03 -0000 (UTC)
From: "Thomas Skora" <thomas@skora.net>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello all,
I've set up MIT Kerberos with OpenLDAP from Debian lenny packages
according to the instructions in the documentation. From the functionality
everything looks fine. The realm subtrees were created in the directory,
the KDC is interacting with the LDAP server, but now I'm stuck at a (as it
seems for me) chicken-egg-problem: to add principals I need a principal
with appropriate permissions. I tried already to create such entries in
LDAP by hand but all tries to use it ended up with the following log
lines:
May 23 20:04:28 dc krb5kdc[3287](info): AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.3.1: NEEDED_PREAUTH: tskora/admin@SSOTEST.SECUNET.COM for
kadmin/changepw@SSOTEST.SECUNET.COM, Additional pre-authentication
required
May 23 20:04:34 dc krb5kdc[3287](info): preauth (timestamp) verify
failure: No matching key in entry
May 23 20:04:34 dc krb5kdc[3287](info): AS_REQ (7 etypes {18 17 16 23 1 3
2}) 192.168.3.1: PREAUTH_FAILED: tskora/admin@SSOTEST.SECUNET.COM for
kadmin/changepw@SSOTEST.SECUNET.COM, Preauthentication failed
Seems as if the needed data is hidden between those binary attributes
which are visible in the default principals, is this correct?
Now my question is if I have overseen something? Is there something from
where I can bootstrap a first principal with administrative rights? Is
somewhere a working tool available which could create them?
Thanks in advance,
Thomas
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
