[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

verify_krb5_conf [ was Re: Patch to prevent krb5Key attrs in SambaLDAP entries ]

On Thu, 19 May 2005 20:17:47 +0200
Love Hörnquist Åstrand <lha@kth.se> wrote:

> The option is "default_keys", not default_etypes. Try run the program
> verify_krb5_conf.

I'm getting these errors:

    verify_krb5_conf: /kadmin/require_preauth: unknown entry
    verify_krb5_conf: /kdc/database/acl_file: unknown entry
    verify_krb5_conf: /kdc/hdb-ldap-create-base: unknown entry

unless I'm mistaken, according to the man page for krb5.conf these
should work. As a matter of fact, /kdc/hdb-ldap-create-base is
indeed used. My krb5.conf has this:

[kdc]
    database = {
        realm = CISE.UFL.EDU
        dbname = ldap:dc=cise,dc=ufl,dc=edu
        acl_file = /var/heimdal/kadmind.acl
    }
    kdc_warn_pwexpire = 7d
    hdb-ldap-create-base = ou=KerberosPrincipals,dc=cise,dc=ufl,dc=edu

and the base does seem to get used:

    ldapsearch -H ldapi:/// -Y EXTERNAL -LLL krb5PrincipalName=host/strawberry.cise.ufl.edu@CISE.UFL.EDU  
    SASL/EXTERNAL authentication started
    SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    dn: krb5PrincipalName=host/strawberry.cise.ufl.edu@CISE.UFL.EDU,ou=KerberosPri
     ncipals,dc=cise,dc=ufl,dc=edu
    objectClass: top
    objectClass: account
    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    krb5PrincipalName: host/strawberry.cise.ufl.edu@CISE.UFL.EDU
    uid: host/strawberry.cise.ufl.edu
    krb5MaxLife: 86400
    krb5MaxRenew: 604800
    krb5KeyVersionNumber: 1
    krb5KDCFlags: 126
    krb5Key:: XXXX

Have I missed something else here?

Jim