From owner-freebsd-current@FreeBSD.ORG Thu Oct 30 08:48:30 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CCA21633 for ; Thu, 30 Oct 2014 08:48:30 +0000 (UTC) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 61B889E7 for ; Thu, 30 Oct 2014 08:48:29 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.82) with esmtp (envelope-from ) id <1XjlPA-001zja-Ae>; Thu, 30 Oct 2014 09:48:28 +0100 Received: from p578a69f9.dip0.t-ipconnect.de ([87.138.105.249] helo=prometheus) by inpost2.zedat.fu-berlin.de (Exim 4.82) with esmtpsa (envelope-from ) id <1XjlPA-003oe7-6Q>; Thu, 30 Oct 2014 09:48:28 +0100 Date: Thu, 30 Oct 2014 09:47:49 +0100 From: "O. Hartmann" To: =?ISO-8859-1?Q?L=E9vai_L=E1szl=F3?= Subject: Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so Message-ID: <20141030094749.101ca5f5@prometheus> In-Reply-To: <5451F865.4040004@gmail.com> References: <20141030092039.47802349@prometheus> <5451F865.4040004@gmail.com> Organization: FU Berlin X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.22; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Originating-IP: 87.138.105.249 Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2014 08:48:31 -0000 On Thu, 30 Oct 2014 09:35:49 +0100 L=E9vai L=E1szl=F3 wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 > Hi, try this: >=20 > [1] kill all kerberos process > [2] to start KDC: /usr/local/libexec/kdc --detach > [3] /usr/local/sbin/kadmin -l > kadmin> list -l * > [...] >=20 > Principal: krbtgt/... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: unlimited > Max renewable life: unlimited > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:00 UTC > Modifier: unknown > Attributes: > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: >=20 > Principal: kadmin/changepw@... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 5 minutes > Max renewable life: 5 minutes > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:00 UTC > Modifier: unknown > Attributes: pwchange-service, requires-pre-auth, > disallow-proxiable, disallow-renewable, disallow-tgt-based, > disallow-postdated > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: >=20 > Principal: kadmin/admin@... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 1 hour > Max renewable life: 1 hour > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:00 UTC > Modifier: unknown > Attributes: requires-pre-auth > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: >=20 > Principal: changepw/kerberos@... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 1 hour > Max renewable life: 1 hour > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:01 UTC > Modifier: unknown > Attributes: pwchange-service, disallow-tgt-based > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: >=20 > Principal: kadmin/hprop@... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 1 hour > Max renewable life: 1 hour > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:01 UTC > Modifier: unknown > Attributes: requires-pre-auth, disallow-tgt-based > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: >=20 > Principal: WELLKNOWN/ANONYMOUS@... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 1 hour > Max renewable life: 1 hour > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:01 UTC > Modifier: unknown > Attributes: requires-pre-auth > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: >=20 > Principal: default@... > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 1 day > Max renewable life: 1 week > Kvno: 1 > Mkvno: unknown > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2014-10-28 11:44:01 UTC > Modifier: unknown > Attributes: disallow-all-tix > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) > PK-INIT ACL: > Aliases: > [...] Hello. This seems not to be the base system's Heimdal since you use /usr/local as prefix!=20 What is your database/storage backend for your Heimdal installation? Is it OpenLDAP? Tnak you very much in advance, Oliver >=20 >=20 > 2014-10-30 09:20 keltez=E9ssel, O. Hartmann =EDrta: > > On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 07:52:22 > > CET 2014 amd64) a running net/openldap24-sasl-server system is > > installed and running and is now about to be the database backend > > for Kerberos/Heimdal. net/openldap24-sasl-server is at=20 > > openldap-sasl-server-2.4.40. > >=20 > > The database storage scheme of the LDAP backend is MDB, as it is > > highly recommended by the vendors of OpenLDAP. > >=20 > > Searching for suitable manuals, I found some HowTos describing how > > to setup MIT Kerberos V with an OpenLDAP backend and I started > > following the instructions there. Despite the fact that > > http://www.h5l.org/manual is dead(!) and no usefull documentation > > or any kind of a hint where to find useful documentation for > > Heimdal can be found, many of the MIT Kerberos V setup instructions > > seem to be a dead end when using Heimdal on FreeBSD. Most of the > > links on that heimdal site ends up in ERROR 404! > >=20 > > Well, I think my objective isn't that exotic in an more advanced > > server environment and I think since FreeBSD is supposed to be used > > in advanced server environments this task should be well known - > > but little information/documentation is available. > >=20 > > Nevertheless, I use the base system's heimdal implementation and I > > run into a very frustrating error when trying to run "kamdin -l": > >=20 > > kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so:=20 > > Cannot open "/usr/lib/hdb_ldap.so" > >=20 > > The setup for the stanza [kdc] is > >=20 > > [...] [kdc] database =3D {=20 > > dbname=3Dldap:ou=3Dkerberos,dc=3Dserver,dc=3Dgdr=20 > > #hdb-ldap-structural-object =3D inetOrgPerson mkey_file =3D > > /var/heimdal/m-key acl_file =3D /var/heimdal/kadmind.acl } > >=20 > > instructions taken from > > http://www.padl.com/Research/Heimdal.html. > >=20 > > Well, it seems that FreeBSD ships with a crippled heimdal=20 > > implementation. Where is /usr/lib/hdb_ldap.so? > >=20 > > I'm toying around this issue for several days now and it gets more > > and more frustrating, also with the perspective of having no > > running samba 4.1 server for the windows domain. > >=20 > > Can someone give me a hint where to find suitable FreeBSD docs for > > a task like this? I guess since FreeBSD is considered a server OS > > more than a desktop/toy OS, there must be a solution for this. > > FreeBSD ships with heimdal in the base, but it seems this heimdal > > is broken. > >=20 > > P.S. Please CC me. _______________________________________________=20 > > freebsd-current@freebsd.org mailing list=20 > > http://lists.freebsd.org/mailman/listinfo/freebsd-current To > > unsubscribe, send any mail to > > "freebsd-current-unsubscribe@freebsd.org" > >=20 >=20 > - --=20 > Tisztelettel: > L=E9vai L=E1szl=F3 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) >=20 > iF4EAREIAAYFAlRR+GEACgkQtgVHtSvpUlo8hgD/dJbCxh7dBdm1tosZ8fdmMuCf > o6fBH3629SPMpGxxon0A/jK7hheRgcJYaIRTVUbmwKm3clbkVW4smcNCf8dPrTq5 > =3DvvoI > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"