Ubuntu Server Guide

'Kerberos and LDAP' instructions show bad ldap_kerberos_container_dn example

Bug #1409392 reported by Gabriel Burkholder
34
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Fix Released
Undecided
Andreas Hasenack

Bug Description

https://help.ubuntu.com/14.04/serverguide/kerberos-ldap.html#kerberos-ldap-primary-kdc

kdb5_ldap_util 1.12 (which ships with Ubuntu 14.04) requires that the ldap_kerberos_container_dn entry in /etc/krb5.conf start with a 'cn' (see: http://mailman.mit.edu/pipermail/kerberos/2014-March/019575.html ). Following the instructions in the LTS 'Kerberos and LDAP' guide with fail at:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \
dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

With the error message:

kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'EXAMPLE.COM'

Suggested changes:

[dbdefaults]
        ldap_kerberos_container_dn = dc=example,dc=com

to

[dbdefaults]
        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com

See original description

Related branches

lp://staging/~ahasenack/serverguide/kerberos-ldap-bad-config-1409392
Doug Smythies: Approve
Diff: 31 lines (+13/-1)
1 file modified
serverguide/C/network-auth.xml (+13/-1)
lp://staging/serverguide/trunk
Gabriel Burkholder (skinlayers)
description: updated
Revision history for this message
Rob Knop (rknop-l) wrote :

Should the following lines also be changed? E.g.:

  sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \
    dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

Does that dc=example,dc=com need to be replaced with cn=krbContainer,dc=example,dc=com?

Revision history for this message
Ryan Short (deeack) wrote :

Can confirm that following the guide but making the change highlighted by https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363897/comments/3 the containers look to have been created successfully and kadmin looks populated, it was also able to add the kerberos attributes to an existing user in the ldap database.

This was all without making any other changes, so regarding Rob's query the kdb5_ldap_util create line stayed as is.

Andreas Hasenack (ahasenack)
Changed in serverguide:
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There are other problems with this section for which I will file separate bug(s). For example, the ldap dn uid=steve,ou=people,dc=example,dc=om doesn't exist, so the example with kadmin.local's addprinc command won't work. There should be two examples: one for steve without the -x option, which will create a new kerberos entry only outside of ou=people, and one for john (the user we create if we follow the openldap installation guide) with the -x option, which will just add the kerberos attributes to the existing uid=john,ou=people,dc=example,dc=com entry.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Filed https://bugs.launchpad.net/serverguide/+bug/1690150 for that addprinc{,-x} issue.

Doug Smythies (dsmythies)
Changed in serverguide:
status: In Progress → Fix Committed
Doug Smythies (dsmythies)
Changed in serverguide:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.