kdb5_ldap_util can not create krbContainer

Bug #1363897 reported by Reinhard on 2014-09-01
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Undecided
Unassigned

Bug Description

Following instructions on
https://help.ubuntu.com/10.04/serverguide/kerberos-ldap.html
creating the initial database with kdb5_ldap_util
(>>sudo kdb5_ldap_util -D cn=admin,dc=app,dc=tsn create -subtrees dc=app,dc=tsn -r APP.TSN -s -H ldap:///ldap01.app.tsn)
fails with error message:
>>kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'APP.TSN'

after reading these mails
http://comments.gmane.org/gmane.comp.encryption.kerberos.general/18509
setting up loglevel for slapd in syslog, following error message can be found:
----------
Sep 1 09:52:19 ldap01 slapd[1165]: ==> hdb_add: dc=app,dc=tsn
Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_required entry (dc=app,dc=tsn), objectClass "krbContainer"
Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "objectClass"
Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "cn"
Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "structuralObjectClass"
Sep 1 09:52:19 ldap01 slapd[1165]: oc_check_allowed type "dc"
Sep 1 09:52:19 ldap01 slapd[1165]: Entry (dc=app,dc=tsn), attribute 'dc' not allowed
Sep 1 09:52:19 ldap01 slapd[1165]: hdb_add: entry failed schema check: attribute 'dc' not allowed (65)
-----------

System:
Ubuntu 14.04 LTS
slapd 2.4.31-1+nmu amd64
krb5-config 2.3
krb5-kdc 1.12+dfsg-2u amd64
krb5-kdc-ldap 1.12+dfsg-2u amd64
krb5-locales 1.12+dfsg-2u
krb5-user 1.12+dfsg-2u amd64

Reinhard (reinhard-fink) wrote :
affects: nfs-utils (Ubuntu) → krb5 (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in krb5 (Ubuntu):
status: New → Confirmed
Gabriel Burkholder (skinlayers) wrote :

Edit /etc/krb5.conf, and change the section:

[dbdefaults]
        ldap_kerberos_container_dn = dc=example,dc=com

to

[dbdefaults]
        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com

This issue appears to have been introduced in kdb5_ldap_util 1.12:
http://mailman.mit.edu/pipermail/kerberos/2014-March/019575.html

Basically, you have to start ldap_kerberos_container_dn with a 'cn'.

Unfortunately, I believe the official Ubuntu LTS documentation is to blame here.
Anyone following those directions is going to run into this issue:
https://help.ubuntu.com/14.04/serverguide/kerberos-ldap.html#kerberos-ldap-primary-kdc

Gabriel Burkholder (skinlayers) wrote :

I've submitted a documentation bug report here:
https://bugs.launchpad.net/serverguide/+bug/1409392

Rob Knop (rknop-l) wrote :

Should the following lines also be changed? E.g.:

  sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \
    dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

Does that dc=example,dc=com need to be replaced with cn=krbContainer,dc=example,dc=com?

Ryan Short (deeack) wrote :

Just appears to be an issue with the documentation as noted by Gabriels previously linked bug report https://bugs.launchpad.net/serverguide/+bug/1409392

Can confirm that following the guide but making the change highlighted by https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/comments/3 the containers look to have been created successfully and kadmin looks populated, it was also able to add the kerberos attributes to an existing user in the ldap database.

This was all without making any other changes, so regarding Rob's query the kdb5_ldap_util create line stayed as is.

Reinhard (reinhard-fink) wrote :

The on the whole very usefully documentation in

https://help.ubuntu.com/lts/serverguide

is still not updated to Gabriel Burkholder's message from 2015-01-11:

---------------------------------------------------------------------
https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html

Next, use the kdb5_ldap_util utility to create the realm:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \
dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com
----------------------------------------------------------------------

So setting up an kerberos server on ldap in ubuntu 16.04 is still a pain.

What is do to to fix the documention?

PS:
I collected a lot of scripts for setting up an kerberos on ldap and other server in:
https://github.com/edvapp/networkbox
if they are useful for more people, any useful hints to make them more known?

Thanks
Reinhard

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments