Bonjour,
J’ai installé un serveur openldap sur une vm virtualbox Wheezy 64 bits, j’ai configuré la couche kerberos avec le serveur ldap en backend.
La génération de la database est OK:
kdb5_ldap_util -D cn=admin,dc=filaos,dc=org create -subtrees dc=filaos,dc=org -r FILAOS.ORG -s -H ldap://atlas.filaos.org
La creation du fichier stash est OK:
kdb5_ldap_util -D cn=admin,dc=filaos,dc=org stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=filaos,dc=org
Quand je démarre le serveur kerberos j’ai ce message d’erreur:
service krb5-admin-server start
[…] Starting Kerberos administrative servers: kadmindkadmind: Can not fetch master key (error: Cannot find/read stored master key). while initializing, aborting 
Ci-dessous mes fichiers de config:
krb5.conf:
[libdefaults]
default_realm = FILAOS.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
The following encryption type specification will be used by MIT Kerberos
if uncommented. In general, the defaults in the MIT Kerberos code are
correct and overriding these specifications only serves to disable new
encryption types as they are added, creating interoperability problems.
Thie only time when you might need to uncomment these lines and change
the enctypes is if you have local software that will break on ticket
caches containing ticket encryption types it doesn’t know about (such as
old versions of Sun Java).
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[logging]
default = FILE:/var/log/krb5.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FILAOS.ORG = {
kdc = atlas.filaos.org
admin_server = atlas.filaos.org
default_domain = filaos.org
database_module = openldap_ldapconf
}
[domain_realm]
.filaos.org = FILAOS.ORG
filaos.org = FILAOS.ORG
[dbdefaults]
ldap_kerberos_container_dn = dc=filaos,dc=org
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = “cn=admin,dc=filaos,dc=org”
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=filaos,dc=org"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = [ldap://10.0.2.15/](ldap://10.0.2.15/)
ldap_conns_per_server = 5
}
[login]
krb4_convert = true
krb4_get_tickets = false
kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
[realms]
FILAOS.ORG = {
database_name = /var/lib/ldap/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/service.keyfile
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
la partie ldap est OK.
Merci pour votre aide.
Willy
