[Date Prev][Date Next] [Chronological] [Thread] [Top]

Error when creating realm in openldap from kerberos


I have been at this for a week now, and i would really appreciate any help.
I'm setting up both kerberos and openldap on the same ubuntu VM for testing purposes.
I was following the configuration for kerberos-ldap (https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html) when I got this error:
  sudo kdb5_ldap_util -D  cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap.example.com
  <......entered password for cn=admin and new KDC database.....>
  kdb5_ldap_util: Hostname cannot be canonicalized krb5_sname_to_principal, while adding entries to the database

I think its something to do with the /etc/hosts file, but I'm not sure.
Here are my configurations:
    kdc_ports = 88
    acl_file = /usr/local/var/krb5kdc/kadm5.acl
    admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
    dict_file = /usr/local/var/krb5kdc/kadm5.dict

        database_name = /usr/local/var/krb5kdc/principal
        admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
        acl_file = /usr/local/var/krb5kdc/kadm5.acl
        dict_file = /usr/local/var/krb5kdc/kadm5.dict
        key_stash_file = /usr/local/var/krb5kdc/.k5.EXAMPLE.COM
        kadmind_port = 749
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    ticket_lifetime = 2400
    default_realm = EXAMPLE.COM
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
        kdc = kerberos.example.com:88
        admin_server = kerberos.example.com:749
        default_domain = example.com
        database_module = openldap_ldapconf
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
        ldap_kerberos_container_dn = dc=example,dc=com
        openldap_ldapconf = {
                db_library = kldap
                ldap_kdc_dn = "cn=admin,dc=example,dc=com"

                # this object needs to have read rights on
                # the realm container, principal container and realm sub-trees
                ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

                # this object needs to have read and write rights on
                # the realm container, principal container and realm sub-trees
                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                ldap_servers = ldaps://ldap.example.com
                ldap_conns_per_server = 5
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb.la

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

# Create top-level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: Example
description: LDAP Example

# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin1
description: LDAP administrator
#userPassword: aa
userPassword: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: {SSHA}0tWXk3nWCfFXeyv3cGF39KmW3Wukbgj8
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: admin@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
initials: JD

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000

BASE    dc=example,dc=com
URI    ldap://ldap.example.com ldapi://ldap.example.com ldaps://ldap.example.com
TLS_CACERT /etc/ssl/certs/cacert.pem
DEREF        never

---------------------- kerberos.example.com kerberos ldap.example.com ldap    ubuntu

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts