URL: https://linuxfr.org/forums/linux-general/posts/configuration-kerberos-backend-ldap Title: Configuration Kerberos backend ldap Authors: Philippe M Date: 2022年09月27日T11:10:26+02:00 License: CC By-SA Tags: Score: 2 Bonjour à tous, En pleine migration d'une vieille installation samba3/ldap vers samba4AD/ldap/kerberos je galère pour faire communiquer kerberos et ldap. Pour le moment je fais comme si j'étais sur une nouvelle installation et j'utilise la doc de Debian https://wiki.debian.org/LDAP/OpenLDAPSetup#Kerberos J'ai vérifié plusieurs fois, refait plusieurs fois et à chaque fois au moment de faire un test avec kadmin.local ça déconne : # kadmin.local Authenticating as principal root/admin@MON.DOM with password. kadmin.local: addprinc bob No policy specified for bob@MON.DOM; defaulting to no policy Enter password for principal "bob@MON.DOM": Re-enter password for principal "bob@MON.DOM": add_principal: Principal add failed: Insufficient access while creating "bobo@MON.DOM". Dans les log de ldap j'ai Sep 27 11:03:07 svdeb01 slapd[439]: => dn: [2] cn=krbcontainer,ou=kerberos,ou=services,dc=mon,dc=dom Sep 27 11:03:07 svdeb01 slapd[439]: => dn: [5] ou=people,dc=mon,dc=dom Sep 27 11:03:07 svdeb01 slapd[439]: => acl_get: [6] attr children Sep 27 11:03:07 svdeb01 slapd[439]: => acl_mask: access to entry "cn=MON.DOM,cn=kerberos,ou=Services,dc=mon,dc=dom", attr "children" requested Sep 27 11:03:07 svdeb01 slapd[439]: => acl_mask: to all values by "uid=kadmin,ou=kerberos,ou=services,dc=mon,dc=dom", (=0) Sep 27 11:03:07 svdeb01 slapd[439]: <= check a_dn_pat: * Sep 27 11:03:07 svdeb01 slapd[439]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 27 11:03:07 svdeb01 slapd[439]: <= acl_mask: [1] mask: read(=rscxd) Sep 27 11:03:07 svdeb01 slapd[439]: => slap_access_allowed: add access denied by read(=rscxd) Sep 27 11:03:07 svdeb01 slapd[439]: => access_allowed: no more rules Sep 27 11:03:07 svdeb01 slapd[439]: conn=1057 op=6 RESULT tag=105 err=50 text=no write access to parent Mes ACL sont : # ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -o ldif-wrap=no -b cn=config -s one olcAccess ldif-wrap=no dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=krbPrincipalKey by anonymous auth by dn.exact="uid=kdc,ou=kerberos,ou=Services,dc=mon,dc=dom" read by dn.exact="uid=kadmin,ou=kerberos,ou=Services,dc=mon,dc=dom" write by self write by * none olcAccess: {1}to dn.subtree="cn=krbContainer,ou=kerberos,ou=Services,dc=mon,dc=dom" by dn.exact="uid=kdc,ou=kerberos,ou=Services,dc=mon,dc=dom" read by dn.exact="uid=kadmin,ou=kerberos,ou=Services,dc=mon,dc=dom" write by * none olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {3}to attrs=shadowLastChange by self write by * read olcAccess: {4}to dn.subtree="ou=People,dc=mon,dc=dom" by dn.exact="uid=kdc,dc=mon,dc=dom" read by dn.exact="uid=kadmin,dc=mon,dc=dom" write by * break olcAccess: {5}to * by * read A force de regarder les ACL je me perds. Est-ce que vous auriez une piste ? Merci d'avance. Philippe.

AltStyle によって変換されたページ (->オリジナル) /