Heimdal kerberos issue after openldap upgrade

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Heimdal kerberos issue after openldap upgrade

Robert Larson-2
Hello!

I'm running a gentoo authentication server utilizing heimdal-kerberos,
cyrus-sasl, and openldap.  This setup has been running for roughly six months
without problems, until an openldap upgrade rendered my kerberos
implementation useless.

I recently made the following upgrade:
openldap-2.1.30-r5
-to-
openldap-2.2.28

I began by uninstalling the first instance, then installing the second
instance.  I had a slapcat copy of the DB, so I moved the original databases
to a backup, performed a slapadd, and reset all of the file permissions.  
Upon the slapadd, I received an error stating that the configuration was
broken.

Upon looking into it, it was erroring out due to the "password-hash
{CLEARTEXT}" option.  I commented this out, it appears to be working now.

I can execute searches and adds, but for some reason this upgrade has caused
kerberos to begin having problems.  When I try kinit, I receive this in
syslog:
[kdc] UNKNOWN -- user@MYREALM: Wrong database version

I try the following:
# kadmin -l
kadmin> list *
kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
kadmin: kadm5_get_principals: Wrong database version
kadmin>

It seems to me like this might be a problem with heimdal-kerberos, but I am
not sure.

Any help or suggestions would be appreciated,

Robert
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal kerberos issue after openldap upgrade

Love Hörnquist Åstrand

Robert Larson <[hidden email]> writes:

> I try the following:
> # kadmin -l
> kadmin> list *
> kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
> kadmin: kadm5_get_principals: Wrong database version

Its the ldap sasl bind to the ldap server that failes. Heimdal can't talk
to the LDAP serer. Your acl's for the ldap server is correct ? Does your
ldap server listens to the unix socket ?

The error "Wrong database version" is just a semi-random error because we
didn't figure out something better to return.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal kerberos issue after openldap upgrade

Andrew Bartlett
In reply to this post by Robert Larson-2
On Fri, 2005-10-07 at 12:03 -0500, Robert Larson wrote:
> Hello!
>
> I'm running a gentoo authentication server utilizing heimdal-kerberos,
> cyrus-sasl, and openldap.  This setup has been running for roughly six months
> without problems, until an openldap upgrade rendered my kerberos
> implementation useless.

> I can execute searches and adds, but for some reason this upgrade has caused
> kerberos to begin having problems.  When I try kinit, I receive this in
> syslog:
> [kdc] UNKNOWN -- user@MYREALM: Wrong database version
>
> I try the following:
> # kadmin -l
> kadmin> list *
> kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
> kadmin: kadm5_get_principals: Wrong database version
> kadmin>
This looks like the ldapi socket isn't in place.  Is 'ldapi://' on the
command line of sldapd?

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Heimdal kerberos issue after openldap upgrade

Andrew Bartlett
In reply to this post by Love Hörnquist Åstrand
On Fri, 2005-10-07 at 19:42 +0200, Love Hörnquist Åstrand wrote:

> Robert Larson <[hidden email]> writes:
>
> > I try the following:
> > # kadmin -l
> > kadmin> list *
> > kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
> > kadmin: kadm5_get_principals: Wrong database version
>
> Its the ldap sasl bind to the ldap server that failes. Heimdal can't talk
> to the LDAP serer. Your acl's for the ldap server is correct ? Does your
> ldap server listens to the unix socket ?
>
> The error "Wrong database version" is just a semi-random error because we
> didn't figure out something better to return.
Earlier this year I tried and failed to get this error to propagate down
the caller stack into a 'no reply' error.  It would be really good if,
when my LDAP server shits itself, Heimdal just 'played dead' rather than
telling my users they don't exist.  If they are lucky, they might then
talk to an Heimdal/LDAP server which is actually up.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

signature.asc (196 bytes) Download Attachment