logo_kerberos.gif

Difference between revisions of "User talk:Haoqili"

From K5Wiki
Jump to: navigation, search
(Getting LDAP Running)
(Getting LDAP Running)
Line 255: Line 255:
 
:ERROR: DBD/HDB:BerkeleyDB not available
 
:ERROR: DBD/HDB:BerkeleyDB not available
 
:Fixed: ''CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include"'' then ''export CPPFLAGS''
 
:Fixed: ''CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include"'' then ''export CPPFLAGS''
** ''./configure''
+
:* ''./configure''
** ''make depend''
+
:* ''make depend''
** ''make'' (fails)
+
:* ''make'' (fails)
 
:ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
 
:ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
 
:FIXED: ''CPPFLAGS=-D_GNU_SOURCE'' then ''export CPPFLAGS''
 
:FIXED: ''CPPFLAGS=-D_GNU_SOURCE'' then ''export CPPFLAGS''
** ''make''
+
:* ''make''
** ''make test'' (takes a while)
+
:* ''make test'' (takes a while)
** ''sudo make install'' (installed in /usr/local/etc/openldap)
+
:* ''sudo make install'' (installed in /usr/local/etc/openldap)
 
* Change configuration file at /usr/local/etc/openldap/slapd.conf
 
* Change configuration file at /usr/local/etc/openldap/slapd.conf
** <my-domain> <-- example
+
:* <my-domain> <-- example
** <com> <-- com
+
:* <com> <-- com
** password is still "secret"
+
:* password is still "secret"
** cn is still "Manager"
+
:* cn is still "Manager"
 
* Start SLAPD: ''sudo /usr/local/libexec/slapd''
 
* Start SLAPD: ''sudo /usr/local/libexec/slapd''
 
** Check if it works by a search: ldapsearch blah
 
** Check if it works by a search: ldapsearch blah
Line 309: Line 309:
 
It can be fixed if slapd is started more specifically:
 
It can be fixed if slapd is started more specifically:
 
''sudo /usr/local/libexec/slapd -h ldapi:///''
 
''sudo /usr/local/libexec/slapd -h ldapi:///''
  +
  +
<br><br><br>
  +
~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~
  +
<i> Everything is a mess! But here are some of things I can do despite of the mess </i>
  +
~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~
  +
  +
* Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.
  +
*# Kill an existing slapd: <code> ps -ef | grep slapd </code> and then <code> sudo kill -9 [the left side number]</code>
  +
*# Set up new slapd: <code> sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 </code> (667, a bigger number works, 389 a smaller number wouldn't work.
  +
*# Test if slapd is running by doing a search: <code> ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret</code>
  +
  +
* Then I created 2 new LDAP entries:
  +
** Create this file named <code>example.ldif</code>
  +
<pre>
  +
dn: dc=example,dc=com
  +
objectclass: dcObject
  +
objectclass: organization
  +
o: HaoQiCompany
  +
dc: example
  +
  +
dn: cn=Manager,dc=example,dc=com
  +
objectclass: organizationalRole
  +
cn: Manager
  +
</pre>
  +
**:Note that the objectclass names cannot be changed, they have been predetermined
  +
** Add them: <code> ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif
  +
** Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
  +
**: result:
  +
<pre>
  +
# extended LDIF
  +
#
  +
# LDAPv3
  +
# base <dc=example,dc=com> with scope subtree
  +
# filter: (objectclass=*)
  +
# requesting: ALL
  +
#
  +
  +
# example.com
  +
dn: dc=example,dc=com
  +
objectClass: dcObject
  +
objectClass: organization
  +
o: HaoQiCompany
  +
dc: example
  +
  +
# Manager, example.com
  +
dn: cn=Manager,dc=example,dc=com
  +
objectClass: organizationalRole
  +
cn: Manager
  +
  +
# search result
  +
search: 2
  +
result: 0 Success
  +
  +
# numResponses: 3
  +
# numEntries: 2
  +
</pre>

Revision as of 12:34, 4 August 2009

Thanks to Tom, Zhanna, and Will for helping me find the solutions.

Things to do

  • read about FAST
  • make mkm test cleaner?

Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).

  • When trying to kinit username
ERROR: kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials
SOLUTION: make sure KDC is running. /usr/local/sbin/krb5kdc
SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits. 2. sudo rm /var/tmp/krb5kdc_rcache.
  • Can't start krb5kdc and in auth.log it says:
ERROR: Address already in use - Cannot bind server socket to port [#] address [IP address]
ERROR: <open file '<fdopen>', mode 'rb' at 0x9a38660>
SOLUTION: 1. see if it is true that port [#] is in use by netstat -nap | grep [#] (I also did pgrep -x krb5kdc). 2. kill the process: pkill -x krb5kdc. note the "-x" is for matching exactly the process "krb5kdc".
  • When changing password 'kpasswd', Cannot contact any KDC for realm [your realm fqdn]
  • and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:
ERROR:
kadmind[6924]: No dictionary file specified, continuing without one.
kadmind[6924]: setting up network...
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0
kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::
kadmind[6924]: skipping unrecognized local address family 17
kadmind[6924]: skipping unrecognized local address family 17
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145
kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464
kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749
kadmind[6924]: set up 0 sockets
kadmind[6924]: no sockets set up?
Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.
SOLUTION:
In kdc.conf inserted the last two lines here
kdc_ports = 8888
kpasswd_port = 8887
kadmind_port = 8886
In krb5.conf modify/insert the lines:
admin_server = yourComputerName.domain:8886
kpasswd_server = yourComputerName.domain:8887
  • Purge key (kdb5_util purge_mkeys) gives an error
ERROR:
kdb5_util: Invalid argument while updating actkvno data for master principal entry
SOLUTION:
#you must activate the keys that have not been "used" like this:
kdb5_util use_mkey kvno [time]
#i.e. kdb5_util use_mkey 2 'now+2days'
  • when running a kadmin command. Runs into operation requires xx privilege error
ERROR:
$ kadmin -p haoqili/admin -w test123 -q 'listprincs'
Authenticating as principal haoqili/admin with password.
get_principals: Operation requires ``list'' privilege while retrieving list.
SOLUTION:
I didn't create my acl file yet. In kdc.conf, I have specified acl_file = /home/haoqili/kdcfiles/kadm5.acl and now I need to create the kadm5.acl
#kadm5.acl, setting up my "admin" principal with all rights, i.e. *
haoqili/admin *
Also, before I created the kadm5.acl, I used echo $? to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."
P.S. I later changed the line in my acl file to be */admin * to allow others

Python Bugs I've encountered and fixed

  • When talking to the terminal shell, a command (in my case, kdbt_util add_mkey) asks for password twice (second time is confirmation). I first tried:
p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
(out, err) = p.communicate('password')
(out2, err2) = p.communicate('password')
When I ran it, I got a chunk of error that ends with: ValueError: I/O operation on closed file. So what happens is that communicate closes the pipe, it breaks (even if it only runs once).
Solution code:
p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
p.stdin.write('password'+'\n')
p.stdin.write('password'+'\n')
Note don't forget the new line at the end.

Tips. Useful little things to know

Kerberos

  • Good link
  • kadmin.local -q 'modprinc +needchange [princname]' , the flag needchange forces the principal to change its password upon kinit.
  • kadmin.local -q 'modprinc -policy [policyname] [princname]' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.
  • There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey
  • AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile])
  • Test date. Navigate to src/kadmin/cli
    • delete 2nd argument in main of getdate.y
    • rm getdate.c
    • make getdate.c
    • gcc -o datetest -DTEST getdate.c -I../../include
    • ./datetest
  • kadmind -nofork is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.
l0b = self.parentpath+'kadmind -nofork'
pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
print "kadmind -nofork"
while (True):
l = pl0b.stderr.readline()
if l.find("starting") > -1: #for kadmind: starting ...
print l.strip()
break

Shell

The following characters have special meanings in grep or egrep:
In egrep:
| ^ $ . * + ? ( ) [ { } \
In grep:
^ $ . * \( \) [ \{ \} \
  • 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like blah 2> /dev/null puts blah's STDERR into /dev/null
  • > overwrites, >> appends
not see what's writing: ksh filename > writefilename 2>&1, the 2>&1 writes the errors as well
see what's writing: ksh filename 2>&1 | tee writefilename
  • ksh: typeset'ing vars in a function makes those vars local to the function.

Python
Common Stuff

  • Cannot do [print line for line in linelist] must have a function that prints the line, call it, printl(), and do [printl(line) for line in linelist]

More Specific Stuff

  • p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)
(out, err) = p.communicate('inputThing\n') <-- don't forget the return "\n" at the end!
  • When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:
if int(p.wait()) != 0: #meaning that it's not executed
print "error message"
exit
  • Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009
Way 1:
p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']
if int(p.wait()) != 0:
print p.stdout.readlines()
Way 2:
p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']
(out, err) = p.communicate('rest of command') #e.g. 'listprincs'
print out
  • Not type in a chunk of common code every time, i.e.
p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
This can be changed to:
s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}
p = Popen(cmd, **s)
  • For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.
p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
  • The p.stdout.readlines() can be read only once
  • Print current time in python:
from time import strftime
print "current time: "+strftime("%Y-%m-%d %H:%M:%S")
Output: current time: 2009-07-06 22:00:54
  • Sleep for 7 seconds.
import time
time.sleep(7)
  • Popen( env=blah ) this argument only needs to be specified when the environment is changing

MKM Errors Put Aside

  • Adding the 1058th master key gives a memory error
  • getdate.y has problems:
/trunk/src/kadmin/cli$ ./datetest
Enter date, or blank line to exit.
> 6 months
Sat Jan 9 14:22:36 2010
> 12/31/2009
Wed Dec 30 23:00:00 2009
> 07/10/2009
Thu Jul 9 23:00:00 2009
> 01/01/2009
Wed Dec 31 23:00:00 2008
> 01/01/2009 00:00:00
Wed Dec 31 23:00:00 2008
  • Phantom list_mkey error after adding -e aes128-cts-hmac-sha1-96. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.
for lines 283-289:
print "Testing add_mkey with aes128 enctype
=============================================="
kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF
abcde
abcde
EOF
kdb5_util list_mkeys
print "Testing add_mkey with aes128 enctype done
=============================================="
The list_mkeys at the bottom is giving the following error:
kdb5_util: Unable to decrypt latest master key with the provided master key
while getting master key list
kdb5_util: Warning: proceeding without master key list
kdb5_util: master keylist not initialized

Getting LDAP Running

Nice looking LDAP tutorial

  • (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html
  • Install BerkeleyDB
    • Download berkeleydb4.7
    • cd to folder
    • cd build_unix (on my Ubuntu)
    • ../dist/configure
    • make
    • sudo make install
  • Install Open LDAP
    • ./configure (fails)
ERROR: DBD/HDB:BerkeleyDB not available
Fixed: CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include" then export CPPFLAGS
  • ./configure
  • make depend
  • make (fails)
ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
FIXED: CPPFLAGS=-D_GNU_SOURCE then export CPPFLAGS
  • make
  • make test (takes a while)
  • sudo make install (installed in /usr/local/etc/openldap)
  • Change configuration file at /usr/local/etc/openldap/slapd.conf
  • <my-domain> <-- example
  • <com> <-- com
  • password is still "secret"
  • cn is still "Manager"
  • Start SLAPD: sudo /usr/local/libexec/slapd
    • Check if it works by a search: ldapsearch blah
  • Add entries. Consult link above.

What I should have done. Faster, simpler. Directions given by Greg Hudson. 1. sudo apt-get install slapd (for server program)
2. sudo apt-get install ldap-utils (for ldapsearch)
3. copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema
4. In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine
5. ldapsearch test:

ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
-H ldapi:/// indicate the URI for the LDAP server
-x simple authentication
-W password prompt
-D cn=Manager,dc=example,dc=com specify the "bind DN", like a username
-LLL shortens output
-b specify base of query to restrict the scope of the query

6. sudo apt-get install libldap2-dev

I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following error:

Setting up slapd (2.4.15-1ubuntu3) ...
  Creating new user openldap... done.
  Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.KSWxQODikd) failed with the following
error while running slapadd:
    str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
    slapadd: could not parse entry (line=16)
dpkg: error processing slapd (--configure):
 subprocess post-installation script returned error exit status 1
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Errors were encountered while processing:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.

Step 5 then failed with error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It can be fixed if slapd is started more specifically: sudo /usr/local/libexec/slapd -h ldapi:///




~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~ Everything is a mess! But here are some of things I can do despite of the mess ~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~!~

  • Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.
    1. Kill an existing slapd: ps -ef | grep slapd and then sudo kill -9 [the left side number]
    2. Set up new slapd: sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 (667, a bigger number works, 389 a smaller number wouldn't work.
    3. Test if slapd is running by doing a search: ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret
  • Then I created 2 new LDAP entries:
    • Create this file named example.ldif
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: HaoQiCompany
dc: example

dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
    • Note that the objectclass names cannot be changed, they have been predetermined
    • Add them: ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif
    • Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
      result:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: HaoQiCompany
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2