[Freeipa-devel] patch to add krb instance init

Simo Sorce ssorce at redhat.com
Tue Jul 3 14:10:34 UTC 2007 

On Tue, 2007-07-03 at 08:45 -0400, Karl MacMillan wrote:
> On Fri, 2007-06-29 at 12:20 -0400, Simo Sorce wrote:
> > The patch contains also a few clean ups.
> > 
> > If there are no objections I'll do an hg push to commit this stuff to
> > the main repo, sometimes around 2pm-4pm
> > 
> > Default DIT is not yet finalized, I'd like comments on that.
> > 
> 
> Why is there a separate password for kerberos and is it required?

The first password is the ldap Directory Manager password
The second password is the KDC Master Password used to generate the KDC
Master Key used to encrypt all the keys in the database.

You don't want them to be the same (and they would desynchronize easily
anyway so it does not really make sense).
Actually you should take the KDC Master Key and store it in a locked
vault as soon as you are done and forget about it. We could generate it
randomly for the user eventually, but this was easier right now.

> > Right now the kadmin is not activcate automatically, that means no way
> > to add krb principals using kadmin.local or kadmind yet.
> > I am not sure I want to enable kadmind at all, as it is not able to fill
> > up an existing user but just crate an independent entry in cn=kerberos.
> > We need to be able to create service ticket though, so next step will be
> > to make it possible to use kadmin.local
> > 
> > To create a user right now you need to add stuff manually using ldif
> > files and ldapmodify.
> > 
> 
> This doesn't work for me on either FC7 or rawhide. Seems to hang at:
> 
> #populate the directory with the realm structure
> args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
> run(args)
> 
> Running manually I get: 
> 
> kdb5_ldap_util: Can't contact LDAP server while initializing database

Then you got a problem I guess.
Is your fedora-ds instance listening on 127.0.0.1 ?
If not why not? SELinux? Iptables?
Have you used a real hostname? Or have you made up something random that
can't resolve?

Simo.

More information about the Freeipa-devel mailing list