[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Fwd: Re: KDC {K5KEY} userPassword problem] Solved!!

Although I specified in slapd.conf on the slave servers:

moduleload              /opt/openldap-2.3.39/lib/smbk5pwd.la

I omitted:

overlay smbk5pwd

I'm guessing slapd never passed credentials to KDC, hence the (49) error

1 more question, how does the smbk5pwd module handle a Kerberos password
that is expired? Is there a specific error code? I suppose I could
expire one then try it. 

2 days of wrestling with this, finally got it to work.

Kent L. Nasveschuk
Systems Administrator
Marine Biological Laboratory
7 MBL Street
Woods Hole, MA 02543
Tel. (508) 289-7263
--- Begin Message ---
On Wednesday 05 December 2007 03:15:13 Howard Chu wrote:
> Henry B. Hotz wrote:
> > I've no experience with LDAP back-ends, but isn't that entry supposed
> > to be used by the KDC, not by slapd?  In other words isn't it an
> > issue with the KDC reading it rather than slapd reading it?
> >
> > I wouldn't think that type of entry is supposed to be usable by
> > slapd, only by the kdc.
> The smbk5pwd overlay (which I wrote) in OpenLDAP knows how to parse the
> keys stored in LDAP by the Heimdal KDC. Of course for it to work, the
> overlay has to actually be configured on all of the relevant slapd
> instances...

... which also requires that the user as which slapd runs on each server must 
have read access to the stash key.


--- End Message ---