Hello
I have been at this for a week now, and i would really appreciate any help. I'm setting up both kerberos and openldap on the same ubuntu VM for testing purposes. I was following the configuration for kerberos-ldap ( https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html) when I got this error: sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap.example.com <......entered password for cn=admin and new KDC database.....> kdb5_ldap_util: Hostname cannot be canonicalized krb5_sname_to_principal, while adding entries to the database
I think its something to do with the /etc/hosts file, but I'm not sure. Here are my configurations: ---------------------- kdc.conf ---------------------- [kdcdefaults] kdc_ports = 88 acl_file = /usr/local/var/krb5kdc/kadm5.acl admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab dict_file = /usr/local/var/krb5kdc/kadm5.dict
[realms] EXAMPLE.COM = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/local/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/var/krb5kdc/.k5.EXAMPLE.COM kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal } ---------------------- kdc.conf ---------------------- [libdefaults] ticket_lifetime = 2400 default_realm = EXAMPLE.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com database_module = openldap_ldapconf } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap.example.com ldap_conns_per_server = 5 } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log ---------------------- backend.example.com.ldif ---------------------- # Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb.la
# Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8 olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
---------------------- frontend.example.com.ldif ---------------------- # Create top-level object in domain dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Organization dc: Example description: LDAP Example
# Admin user. dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin1 description: LDAP administrator #userPassword: aa userPassword: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people
dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8 gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: admin@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD
dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
---------------------- ldap.conf ---------------------- BASE dc=example,dc=com URI ldap://ldap.example.com ldapi://ldap.example.com ldaps:// ldap.example.com TLS_CACERT /etc/ssl/certs/cacert.pem SIZELIMIT 12 TIMELIMIT 15 DEREF never
---------------------- /etc/hosts ---------------------- 127.0.0.1 kerberos.example.com kerberos 127.0.0.1 ldap.example.com ldap 192.168.0.101 ubuntu
# The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
openldap-technical@openldap.org