I have been at this for a week now, and i would really appreciate any help.
I'm setting up both kerberos and openldap on the same ubuntu VM for testing purposes.
I was following the configuration for kerberos-ldap (
https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html) when I got this error:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r
EXAMPLE.COM -s -H ldap://
ldap.example.com
<......entered password for cn=admin and new KDC database.....>
kdb5_ldap_util: Hostname cannot be canonicalized krb5_sname_to_principal, while adding entries to the database
I think its something to do with the /etc/hosts file, but I'm not sure.
Here are my configurations:
----------------------
kdc.conf
----------------------
[kdcdefaults]
kdc_ports = 88
acl_file = /usr/local/var/krb5kdc/kadm5.acl
admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
dict_file = /usr/local/var/krb5kdc/kadm5.dict
[realms]
EXAMPLE.COM = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
dict_file = /usr/local/var/krb5kdc/kadm5.dict
key_stash_file = /usr/local/var/krb5kdc/.
k5.EXAMPLE.COM kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
----------------------
kdc.conf
----------------------
[libdefaults]
ticket_lifetime = 2400
default_realm =
EXAMPLE.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc =
kerberos.example.com:88 admin_server =
kerberos.example.com:749
default_domain =
example.com database_module = openldap_ldapconf
}
[domain_realm]
.
example.com =
EXAMPLE.COM
example.com =
EXAMPLE.COM[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://
ldap.example.com ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
----------------------
backend.example.com.ldif
----------------------
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload:
back_hdb.la
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
----------------------
frontend.example.com.ldif
----------------------
# Create top-level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: Example
description: LDAP Example
# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin1
description: LDAP administrator
#userPassword: aa
userPassword: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail:
admin@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000
----------------------
ldap.conf
----------------------
BASE dc=example,dc=com
URI ldap://
ldap.example.com ldapi://
ldap.example.com ldaps://
ldap.example.com
TLS_CACERT /etc/ssl/certs/cacert.pem
SIZELIMIT 12
TIMELIMIT 15
DEREF never
----------------------
/etc/hosts
----------------------
127.0.0.1
kerberos.example.com kerberos
127.0.0.1
ldap.example.com ldap
192.168.0.101 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts