error when i try to install Ldap and kerberos for Debian 9

All topics relating to computer security and internet privacy. Please try to keep it technical related and leave political diatribes at the door.

error when i try to install Ldap and kerberos for Debian 9

Postby nounou » June 14th, 2018, 11:59 am

Hello,

I'm I'm getting an error when i try to install Ldap and kerberos for a service authentication system, on a Debian 9.4 stretch
-----
I installed the following packages on the same machine (Debian 9.4 stretch):

1)- apt-get install ldap-utils slapd
2)- apt-get install krb5-admin-server krb5-kdc krb5-kdc-ldap
-----------------
When the servers launch , I had this status:

1)- /etc/init.d/slapd status ---> OK
2)- /etc/init.d/krb5-admin-server status ---> OK
3)- /etc/init.d/krb5-kdc status ---> failed!
--------------------

## I use this command, kdb5_ldap_util to create the realm:

kdb5_ldap_util -w "123" \
-D "cn=admin,dc=exemple,dc=com" \
create \
-subtrees "dc=exemple,dc=com" \
-r "EXEMPLE.COM" \
-s \
-H ldapi:///


## And,I use this command, Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn and ldap_kadmin_dn

kdb5_ldap_util -w "123" \
-D "cn=admin,dc=exemple,dc=com" \
stashsrvpw \
-f /etc/krb5kdc/service.keyfile \
"cn=krb-admin,dc=exemple,dc=com"


---------------------------------------------------

Here is the error message ::
----------------------------------------

juin 13 17:27:17 debian slapd[23124]: conn=1014 fd=17 ACCEPT comom PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
juin 13 17:27:17 debian systemd[1]: krb5-kdc.service: Unit entered failed state.
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" method=128
juin 13 17:27:17 debian systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" mech=SIMPLE ssf=0
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=0 RESULT tag=97 err=0 text=
juin 13 17:27:17 debian slapd[23124]: conn=1015 fd=18 ACCEPT comom PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" method=128
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" mech=SIMPLE ssf=0
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=0 RESULT tag=97 err=0 text=
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=1 SRCH base="cn=EXEMPLE.COM,cn=krb-admin,dc=exemple,dc=com" scope=0 deref=0 filter="(?objectClass=krb
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=1 SRCH attr=krbSearchScope krbSubTrees krbPrincContainerRef krbMaxTicketLife krbMaxRenewableAge k
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=2 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1015 fd=18 closed
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1014 fd=17 closed
juin 13 17:27:17 debian slapd[23124]: conn=1013 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1013 fd=16 closed
juin 13 17:27:17 debian slapd[23124]: conn=1012 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1012 fd=15 closed
juin 13 17:27:17 debian slapd[23124]: conn=1011 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1011 fd=12 closed
---------------------------------------------------------------------------------------------


And here are my configuration files


## *******************************== etc/krb5.conf ==*************************************
[libdefaults]
default_realm = EXEMPLE.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 525600

[realms]
EXEMPLE.COM = {
kdc = debian.exemple.com
admin_server = debian.exemple.com
default_domain = exemple.com
database_module = openldap_ldapconf
}

[domain_realm]
.exemple.com = EXEMPLE.COM
exemple.com = EXEMPLE.COM


[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON



[kdc]
profile = /etc/krb5kdc/kdc.conf


[dbdefaults]

ldap_kerberos_container_dn = cn=krb-admin,dc=exemple,dc=com

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=krb-admin,dc=exemple,dc=com"
ldap_kadmind_dn = "cn=krb-admin,dc=exemple,dc=com"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_cert_path = /etc/ssl/certs/
ldap_servers = ldapi:///
ldap_conns_per_server = 5
}
## ****************************************************************************************

## *******************************== /etc/krb5kdc/kdc.conf ==******************************
[kdcdefaults]
kdc_ports = 750,88

[realms]
EXEMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/service.keyfile
kdc_ports = 750,88
max_life = 365d 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:$
default_principal_flags = +preauth
}
## ****************************************************************************************

variables
----------------------------
SERVER: debian.exemple.com
DOMAIN: exemple.com
REALM: EXEMPLE.COM
LDAPROOT: dc=exemple,dc=com

------------------------------------------------


the ldap database

## oooooooooooooooooooooooooo the base of LDAP ooooooooooooooooooooooooooooooooooooooooooooooooo
dn: dc=exemple,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: exemple.com
dc: exemple
structuralObjectClass: organization
entryUUID: 26b57a60-036d-1038-8abe-d739c4db7b16
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613154950Z
entryCSN: 20180613154950.654216Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613154950Z

dn: cn=admin,dc=exemple,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9ZjBTSzg0Q0g1djR6Y2txSm0waWFERXI4RDBMVTVYRjY=
structuralObjectClass: organizationalRole
entryUUID: 26b61920-036d-1038-8abf-d739c4db7b16
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613154950Z
entryCSN: 20180613154950.658340Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613154950Z

dn: cn=krb-admin,dc=exemple,dc=com
cn: krb-admin
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y5Y1hzdmJ2dTg9
structuralObjectClass: organizationalRole
entryUUID: 83d559c8-0371-1038-8427-4919d7f0168c
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613162104Z
entryCSN: 20180613162104.878174Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613162104Z

dn: ou=groups,dc=exemple,dc=com
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 83da5bda-0371-1038-8428-4919d7f0168c
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613162104Z
entryCSN: 20180613162104.911009Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613162104Z

dn: ou=users,dc=exemple,dc=com
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
entryUUID: 83dabbd4-0371-1038-8429-4919d7f0168c
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613162104Z
entryCSN: 20180613162104.913467Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613162104Z

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
nounou
 
Posts: 1
Joined: June 14th, 2018, 11:51 am

Return to Security/Privacy-Related

Who is online

Users browsing this forum: No registered users and 1 guest

x