[31722] in Kerberos
Re: create principals fails
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Nov 25 12:10:49 2009
From: Greg Hudson <ghudson@mit.edu>
To: "\"kai" =?ISO-8859-1?Q?pl=FCckhahn=22?= <derplueck@gmx.de>
In-Reply-To: <20091124102058.199670@gmx.net>
Date: Wed, 25 Nov 2009 12:10:27 -0500
Message-ID: <1259169027.14830.27.camel@ray>
Mime-Version: 1.0
Cc: "Kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Tue, 2009-11-24 at 05:20 -0500, "kai plückhahn" wrote:> kadmin.local: Server error while initializing kadmin.local interface
Unfortunately, as noted in previous threads(http://mailman.mit.edu/pipermail/kerberos/2009-August/015187.html) theKDC LDAP code is generating a much more informative error message, butit isn't printed due to a problem with contexts. That problem is fixedfor 1.8, but that doesn't help you right now.
One workaround is to make a debugging build of the krb5 sources and stepthrough the process with a debugger. This is painful and laborious,though. Another option is to run kadmin.local under a system calltracing tool like strace (Linux) or truss (Solaris) to see what systeminteractions kadmin.local made shortly before printing the errormessage, but that doesn't always yield helpful information.
The most common problem I've seen with using the KDC LDAP back end is insetting up the stash file containing the LDAP passwords for the DNs usedby the KDC and kadmind. This filename is specified with the variableldap_service_password_file inside the database settings. If you createdit correctly, it should look like:
cn=admin,dc=directorate,dc=org#{HEX}abcde12345
where the DNs on the left should match the DNs specified in theldap_kdc_dn and ldap_kadmind_dn variables. You say that the file isthere with both passwords, but you might want to double check.
There is a different file which holds the KDB master password. Thisfilename is specified with the variable key_stash_file inside the realmsettings, and should point to a different filename. It should containbinary data. Make sure this is separate from your LDAP password stash.
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
