Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so

From: Lévai László <laszlo.lev.levai_at_gmail.com>
Date: Thu, 30 Oct 2014 09:35:49 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi, try this:

[1] kill all kerberos process
[2] to start KDC: /usr/local/libexec/kdc --detach
[3] /usr/local/sbin/kadmin -l
kadmin> list -l *
[...]

            Principal: krbtgt/...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:00 UTC
             Modifier: unknown
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: kadmin/changepw_at_...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 5 minutes
   Max renewable life: 5 minutes
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:00 UTC
             Modifier: unknown
           Attributes: pwchange-service, requires-pre-auth,
disallow-proxiable, disallow-renewable, disallow-tgt-based,
disallow-postdated
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: kadmin/admin_at_...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:00 UTC
             Modifier: unknown
           Attributes: requires-pre-auth
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: changepw/kerberos_at_...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: pwchange-service, disallow-tgt-based
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: kadmin/hprop_at_...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: requires-pre-auth, disallow-tgt-based
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: WELLKNOWN/ANONYMOUS_at_...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: requires-pre-auth
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: default_at_...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: disallow-all-tix
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:
[...]


2014-10-30 09:20 keltezéssel, O. Hartmann írta:
> On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 07:52:22
> CET 2014 amd64) a running net/openldap24-sasl-server system is
> installed and running and is now about to be the database backend
> for Kerberos/Heimdal. net/openldap24-sasl-server is at 
> openldap-sasl-server-2.4.40.
> 
> The database storage scheme of the LDAP backend is MDB, as it is
> highly recommended by the vendors of OpenLDAP.
> 
> Searching for suitable manuals, I found some HowTos describing how
> to setup MIT Kerberos V with an OpenLDAP backend and I started
> following the instructions there. Despite the fact that
> http://www.h5l.org/manual is dead(!) and no usefull documentation
> or any kind of a hint where to find useful documentation for
> Heimdal can be found, many of the MIT Kerberos V setup instructions
> seem to be a dead end when using Heimdal on FreeBSD. Most of the
> links on that heimdal site ends up in ERROR 404!
> 
> Well, I think my objective isn't that exotic in an more advanced
> server environment and I think since FreeBSD is supposed to be used
> in advanced server environments this task should be well known -
> but little information/documentation is available.
> 
> Nevertheless, I use the base system's heimdal implementation and I
> run into a very frustrating error when trying to run "kamdin -l":
> 
> kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so: 
> Cannot open "/usr/lib/hdb_ldap.so"
> 
> The setup for the stanza [kdc] is
> 
> [...] [kdc] database =    { 
> dbname=ldap:ou=kerberos,dc=server,dc=gdr 
> #hdb-ldap-structural-object     = inetOrgPerson mkey_file =
> /var/heimdal/m-key acl_file = /var/heimdal/kadmind.acl }
> 
> instructions taken from
> http://www.padl.com/Research/Heimdal.html.
> 
> Well, it seems that FreeBSD ships with a crippled heimdal 
> implementation. Where is /usr/lib/hdb_ldap.so?
> 
> I'm toying around this issue for several days now and it gets more
> and more frustrating, also with the perspective of having no
> running samba 4.1 server for the windows domain.
> 
> Can someone give me a hint where to find suitable FreeBSD docs for
> a task like this? I guess since FreeBSD is considered a server OS
> more than a desktop/toy OS, there must be a solution for this.
> FreeBSD ships with heimdal in the base, but it seems this heimdal
> is broken.
> 
> P.S. Please CC me. _______________________________________________ 
> freebsd-current_at_freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-current To
> unsubscribe, send any mail to
> "freebsd-current-unsubscribe_at_freebsd.org"
> 

- -- 
Tisztelettel:
Lévai László
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iF4EAREIAAYFAlRR+GEACgkQtgVHtSvpUlo8hgD/dJbCxh7dBdm1tosZ8fdmMuCf
o6fBH3629SPMpGxxon0A/jK7hheRgcJYaIRTVUbmwKm3clbkVW4smcNCf8dPrTq5
=vvoI
-----END PGP SIGNATURE-----
Received on Thu Oct 30 2014 - 07:35:54 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC