[Fwd: Re: KDC {K5KEY} userPassword problem] Solved!!

[Kent Nasveschuk <knasveschuk@mbl.edu>]

Although I specified in slapd.conf on the slave servers:

moduleload              /opt/openldap-2.3.39/lib/smbk5pwd.la

I omitted:

overlay smbk5pwd

I'm guessing slapd never passed credentials to KDC, hence the (49) error
code.

1 more question, how does the smbk5pwd module handle a Kerberos password
that is expired? Is there a specific error code? I suppose I could
expire one then try it. 

2 days of wrestling with this, finally got it to work.


 
-- 
Kent L. Nasveschuk
Systems Administrator
Marine Biological Laboratory
7 MBL Street
Woods Hole, MA 02543
Tel. (508) 289-7263

--- Begin Message ---

• To: heimdal-discuss@sics.se
• Subject: Re: KDC {K5KEY} userPassword problem
• From: Buchan Milne <bgmilne@mandriva.org>
• Date: Wed, 5 Dec 2007 13:43:15 +0200
• Cc: Kent Nasveschuk <knasveschuk@mbl.edu>
• Content-disposition: inline
• In-reply-to: <4755FBA1.9050103@highlandsun.com>
• References: <1196802095.3338.92.camel@mbl2.klnc.net> <39AC5433-C805-48F0-B5AB-89BEBD6906D1@jpl.nasa.gov> <4755FBA1.9050103@highlandsun.com>
• User-agent: KMail/1.9.7

On Wednesday 05 December 2007 03:15:13 Howard Chu wrote:
> Henry B. Hotz wrote:
> > I've no experience with LDAP back-ends, but isn't that entry supposed
> > to be used by the KDC, not by slapd?  In other words isn't it an
> > issue with the KDC reading it rather than slapd reading it?
> >
> > I wouldn't think that type of entry is supposed to be usable by
> > slapd, only by the kdc.
>
> The smbk5pwd overlay (which I wrote) in OpenLDAP knows how to parse the
> keys stored in LDAP by the Heimdal KDC. Of course for it to work, the
> overlay has to actually be configured on all of the relevant slapd
> instances...

... which also requires that the user as which slapd runs on each server must 
have read access to the stash key.

Regards,
Buchan

--- End Message ---