Yet another one sysadsmin wiki.
Show pagesourceOld revisionsBacklinks
AdminRecent ChangesSitemap
You are not allowed to add pages

Ссылки

KRB

Docs:

Kerberos + LDAP

As soon as I can remember, KRB: 

apt-get install krb5-kdc-ldap krb5-kdc krb5-admin-server krb5-doc

It says: 

Настройка области Kerberos 
Этот пакет содержит управляющие инструменты, требующиеся для работы мастер-сервера Kerberos. 
Однако при установке пакета не выполняется автоматическая настройка области Kerberos.
Это может быть сделано позже с помощью команды "krb5_newrealm".
Пожалуйста, прочтите также файл /usr/share/doc/krb5-kdc/README.KDC и руководство администратора из пакета krb5-doc.

Пробуем запустить. 

service krb5-kdc start

Runs with error: cannot initialize realm A1-CONNECT.RU - see log file for details

Log has not been created. Log settings had been set in /etc/krb5kdc/kdc.conf by adding : 

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log

On next service start attempt it create log string 

krb5kdc: ??? ?????? ????? ??? ???????? - while initializing database for realm A1-CONNECT.RU

Console lang had been reset to en_US.UTF-8: 

export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
export LANGUAGE=en_US.UTF-8
source ~/.bashrc

After next service start attempt, the following string was received: 

krb5kdc: No such file or directory - while initializing database for realm A1-CONNECT.RU

After googling, pasrtial solution had been received: 

 kdb5_util create

But, after service startup attempt, the following error occured: 

krb5kdc: Can not fetch master key (error: No such file or directory). - while fetching master key K/M for realm A1-CONNECT.RU

Files in /var/lib/krb5kdc/ had been removed and there was an attempt to create realm with stash-file: 

 kdb5_util create -s

But the error appears; As I understood after looking into manual at http://wiki.etersoft.ru/Krb5KDC and config files, there was lack info in /etc/krb5.conf: I've forget to mention domain realm for A1-CONTENT.RU: 

[domain_realm]
        .a1-content.ru = A1-CONTENT.RU
        a1-content.ru = A1-CONTENT.RU

Also, I've set up a default_domain option in my realm, so finally it looks like: 

[realms]
        A1-CONNECT.RU = {
                kdc = srv10436.a1-content.ru
                admin_server = srv10436.a1-content.ru
                default_domain = a1-content.ru
        }

And, when I tries to create realm, stash file appears; then, when start up krb5-kdc service again, I've fire it up without errors: 

Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): setting up network...
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): listening on fd 8: udp 0.0.0.0.88 (pktinfo)
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): listening on fd 9: udp 0.0.0.0.750 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): skipping unrecognized local address family 17
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): skipping unrecognized local address family 17
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): listening on fd 10: udp fe80::225:90ff:fe0c:f842%eth0.88
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): listening on fd 11: udp fe80::225:90ff:fe0c:f842%eth0.750
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24525](info): set up 4 sockets
Nov 27 18:38:28 srv10436.a1-content.ru krb5kdc[24526](info): commencing operation

Now I need to get running with 

kdb5_ldap_util -D cn=admin,dc=a1-content,DC=ru -H ldap://srv10436.a1-content.ru create -subtrees ou=accounts -sscope SUB -r A1-CONTENT.RU

Я думал, что осталось придумать KDC Master Key и вуаля, однако, оно отказалось сработать со следующими ругательствами: 

Initializing database for realm 'A1-CONTENT.RU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
kdb5_ldap_util: Kerberos container location not specified while reading kerberos container information
kdb5_ldap_util: Kerberos container location not specified while creating realm 'A1-CONTENT.RU'
adv/srv10436/krb.txt · Last modified: 2015/12/05 21:15 by rybario
Show pagesourceOld revisionsBacklinks
BackMedia ManagerBack to top
About this template
CC Attribution-Share Alike 4.0 International
Powered by PHP Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 Valid HTML5