Date: Thu, 30 Oct 2014 10:02:19 +0100 From: =?ISO-8859-1?Q?L=E9vai_L=E1szl=F3?= <laszlo.lev.levai@gmail.com> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: freebsd-current@freebsd.org Subject: Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so Message-ID: <5451FE9B.9000301@gmail.com> In-Reply-To: <20141030094749.101ca5f5@prometheus> References: <20141030092039.47802349@prometheus> <5451F865.4040004@gmail.com> <20141030094749.101ca5f5@prometheus>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 2014-10-30 09:47 keltezéssel, O. Hartmann írta: > On Thu, 30 Oct 2014 09:35:49 +0100 Lévai László > <laszlo.lev.levai@gmail.com> wrote: > > Hi, try this: > > [1] kill all kerberos process [2] to start KDC: > /usr/local/libexec/kdc --detach [3] /usr/local/sbin/kadmin -l > kadmin> list -l * [...] > > Principal: krbtgt/... Principal expires: never Password expires: > never Last password change: never Max ticket life: unlimited Max > renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful > login: never Last failed login: never Failed login count: 0 Last > modified: 2014-10-28 11:44:00 UTC Modifier: unknown Attributes: > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > > Principal: kadmin/changepw@... Principal expires: never Password > expires: never Last password change: never Max ticket life: 5 > minutes Max renewable life: 5 minutes Kvno: 1 Mkvno: unknown Last > successful login: never Last failed login: never Failed login > count: 0 Last modified: 2014-10-28 11:44:00 UTC Modifier: unknown > Attributes: pwchange-service, requires-pre-auth, > disallow-proxiable, disallow-renewable, disallow-tgt-based, > disallow-postdated Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: > Aliases: > > Principal: kadmin/admin@... Principal expires: never Password > expires: never Last password change: never Max ticket life: 1 hour > Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful > login: never Last failed login: never Failed login count: 0 Last > modified: 2014-10-28 11:44:00 UTC Modifier: unknown Attributes: > requires-pre-auth Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: > Aliases: > > Principal: changepw/kerberos@... Principal expires: never Password > expires: never Last password change: never Max ticket life: 1 hour > Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful > login: never Last failed login: never Failed login count: 0 Last > modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes: > pwchange-service, disallow-tgt-based Keytypes: > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > > Principal: kadmin/hprop@... Principal expires: never Password > expires: never Last password change: never Max ticket life: 1 hour > Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful > login: never Last failed login: never Failed login count: 0 Last > modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes: > requires-pre-auth, disallow-tgt-based Keytypes: > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > > Principal: WELLKNOWN/ANONYMOUS@... Principal expires: never > Password expires: never Last password change: never Max ticket > life: 1 hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last > successful login: never Last failed login: never Failed login > count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: unknown > Attributes: requires-pre-auth Keytypes: > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > > Principal: default@... Principal expires: never Password expires: > never Last password change: never Max ticket life: 1 day Max > renewable life: 1 week Kvno: 1 Mkvno: unknown Last successful > login: never Last failed login: never Failed login count: 0 Last > modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes: > disallow-all-tix Keytypes: aes256-cts-hmac-sha1-96(pw-salt), > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: > Aliases: [...] > >> Hello. > >> This seems not to be the base system's Heimdal since you use >> /usr/local as prefix! > The base system's Heimdal with OpenLDAP backend not worked form me. So I installed the security/heimdal port and OpenLDAP24 server. root@lea:~ # /usr/local/libexec/slapd -VV @(#) $OpenLDAP: slapd 2.4.40 (Oct 17 2014 16:17:52) $ root@lea...:/usr/ports/net/openldap24-server/work/openldap-2.4.40/servers/slapd root@lea:~ # /usr/local/libexec/kdc --version kdc (Heimdal 1.5.2) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs@h5l.org root@lea:~ # /usr/local/libexec/kdc --builtin-hdb builtin hdb backends: ndbm:, keytab:, ldap:, ldapi:, sqlite: oterwise the system kdc: root@lea:~ # /usr/libexec/kdc --builtin-hdb builtin hdb backends: db:, mit-db:, ndbm:, keytab:, sqlite: >> What is your database/storage backend for your Heimdal >> installation? Is it OpenLDAP? > >> Tnak you very much in advance, > >> Oliver > > > > 2014-10-30 09:20 keltezéssel, O. Hartmann írta: >>>> On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 >>>> 07:52:22 CET 2014 amd64) a running net/openldap24-sasl-server >>>> system is installed and running and is now about to be the >>>> database backend for Kerberos/Heimdal. >>>> net/openldap24-sasl-server is at >>>> openldap-sasl-server-2.4.40. >>>> >>>> The database storage scheme of the LDAP backend is MDB, as it >>>> is highly recommended by the vendors of OpenLDAP. >>>> >>>> Searching for suitable manuals, I found some HowTos >>>> describing how to setup MIT Kerberos V with an OpenLDAP >>>> backend and I started following the instructions there. >>>> Despite the fact that http://www.h5l.org/manual is dead(!) >>>> and no usefull documentation or any kind of a hint where to >>>> find useful documentation for Heimdal can be found, many of >>>> the MIT Kerberos V setup instructions seem to be a dead end >>>> when using Heimdal on FreeBSD. Most of the links on that >>>> heimdal site ends up in ERROR 404! >>>> >>>> Well, I think my objective isn't that exotic in an more >>>> advanced server environment and I think since FreeBSD is >>>> supposed to be used in advanced server environments this task >>>> should be well known - but little information/documentation >>>> is available. >>>> >>>> Nevertheless, I use the base system's heimdal implementation >>>> and I run into a very frustrating error when trying to run >>>> "kamdin -l": >>>> >>>> kadmin: error trying to load dynamic module >>>> /usr/lib/hdb_ldap.so: Cannot open "/usr/lib/hdb_ldap.so" >>>> >>>> The setup for the stanza [kdc] is >>>> >>>> [...] [kdc] database = { >>>> dbname=ldap:ou=kerberos,dc=server,dc=gdr >>>> #hdb-ldap-structural-object = inetOrgPerson mkey_file = >>>> /var/heimdal/m-key acl_file = /var/heimdal/kadmind.acl } >>>> >>>> instructions taken from >>>> http://www.padl.com/Research/Heimdal.html. >>>> >>>> Well, it seems that FreeBSD ships with a crippled heimdal >>>> implementation. Where is /usr/lib/hdb_ldap.so? >>>> >>>> I'm toying around this issue for several days now and it gets >>>> more and more frustrating, also with the perspective of >>>> having no running samba 4.1 server for the windows domain. >>>> >>>> Can someone give me a hint where to find suitable FreeBSD >>>> docs for a task like this? I guess since FreeBSD is >>>> considered a server OS more than a desktop/toy OS, there must >>>> be a solution for this. FreeBSD ships with heimdal in the >>>> base, but it seems this heimdal is broken. >>>> >>>> P.S. Please CC me. >>>> _______________________________________________ >>>> freebsd-current@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current To >>>> unsubscribe, send any mail to >>>> "freebsd-current-unsubscribe@freebsd.org" >>>> > >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current To >> unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org" > - -- Tisztelettel: Lévai László -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlRR/psACgkQtgVHtSvpUlqM0AD+Pwy6+M1eQVDoXJBqvr4tC5Ct UYAu1NlTZzk1EQ+scrgA+QHXWl3nEj0SN3EpIghIee10dCMUmrNbIm5ga8+CpeUk =GC3n -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5451FE9B.9000301>