Hi folks,
My plan is to migrate away from three older Debian wheezy systems
running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP
2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by
adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP
2.4.44+dfsg-3. Only, the
What does your olcSyncrepl line for dc=example,dc=com look like?
Matt Pallissard
On Thu, 2017-04-13 at 12:57 +0200, Jaap Winius wrote:
> Hi folks,
>
> My plan is to migrate away from three older Debian wheezy systems
> running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP
> 2.4.31-2+de
Hello,
please check what URI value is in '/etc/ldap/ldap.conf'. Are both set two
ldapi:///?
Thorsten
Von meinem iPhone gesendet
> Am 13.04.2017 um 12:57 schrieb Jaap Winius :
>
> Hi folks,
>
> My plan is to migrate away from three older Debian wheezy systems
> running MIT Kerberos 1.10.1+df
Quoting "Pallissard, Matthew" :
> What does your olcSyncrepl line for dc=example,dc=com look like?
olcSyncrepl: {0}rid=123 provider="ldap://klsm.example.com:389/"; type=refreshAn
dPersist retry="60 30 300 +" searchbase="dc=example,dc=com" bindmethod=sasl s
aslmech=gssapi
The OpenLDAP configu
Hmm,
Do your cn=config databases match?
Do you know what that hashed password actually is? Can you manually bind with
that username/pw and ldapsearch?
Matt Pallissard
On Thu, 2017-04-13 at 14:02 +0200, Jaap Winius wrote:
> Quoting "Pallissard, Matthew" :
>
> > What does your olcSyncrepl line
Quoting t Seeger :
> please check what URI value is in '/etc/ldap/ldap.conf'. Are both
> set two ldapi:///?
Both? I had the URI value in /etc/ldap/ldap.conf set like this:
URI ldap://kls4.example.com/
So I tried it with:
URI ldapi:///
And I also tried these variations:
URI ldap
Quoting "Pallissard, Matthew" :
> Do your cn=config databases match?
Almost. The main difference is that the databases on the old systems
are in an hdb format and the new one uses mdb, so there are a few
olcDbConfig lines on the old systems that are not present in the new
system.
> Do you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
> Could it be that the required format or key type of one or both of these
> files has changed?
That I do not know.
> If so, then unless I can decrypt that HEX value it will probably be necessary
> to create a new realm.
I don't think that a new
Hi,
I am trying to implement a client that is compliant with
https://tools.ietf.org/html/rfc6806.html#section-11
The issue I am having is on validating the checksum returned in the PA-Data
from the KDC. Below is the outline of the steps I am taking.
I need the checksum key and the value of the A
On 04/13/2017 07:18 AM, Turner, Jonathan wrote:
> https://tools.ietf.org/html/rfc6806.html#section-11
[...]
> To get the key:
> 1) Decrypt the encpart of the AS-REP
> 2) From the decrypted encpart get the key value
RFC 6806 says "The checksum key is the reply key", meaning the key used
to encrypt
On 04/13/2017 09:13 AM, Jaap Winius wrote:
> Regrettably, no, I don't have the passwords. I copied the
> 'service.keyfile 'and 'stash' files from the old systems hoped it
> would work. Could it be that the required format or key type of one or
> both of these files has changed? If so, then un
Quoting "Pallissard, Matthew" :
> You could also try pointing your new KDC to your old LDAP server to
> see whether or not the issue is with your LDAP instance or the KDC
> config.
That worked. In other words, the problem is with the new slapd server.
> You should check your slapd logs as we
Quoting Jaap Winius :
>slapd[560]: GSSAPI Error: Unspecified GSS failure. \
>Minor code may provide more information \
>(Server ldap/localh...@example.com not found in Kerberos database)
Invalid credentials? It's because of this. Slapd should discover its
identity by reading its key
Is it slapd reading its key tab incorrectly or is the hostname being derived
incorrectly. Is this a host file issue?
Matt Pallissard
Original Message
From: Jaap Winius
Sent: Thu Apr 13 18:20:33 CDT 2017
To: Jaap Winius
Cc: "Pallissard, Matthew" , kerberos@mit.edu
Subject: R
Thanks Emma!
I have installed the kerberos5 using macport, just wonder if you can still able
to help me to figure out which is the right kdc.conf being read by the system.
I just tried these files:
KurtMAC:etc mcroot$ grep listen /opt/local/etc/kdc.conf /usr/local/etc/kdc.conf
/opt/local/etc/k
15 matches
Mail list logo
