logo_kerberos.gif

User talk:Haoqili

From K5Wiki
Revision as of 12:56, 4 August 2009 by Haoqili (talk | contribs) (Adding LDAP Entries)

Jump to: navigation, search

Thanks to Tom, Zhanna, and Will for helping me find the solutions.

Things to do

  • read about FAST
  • make mkm test cleaner?

Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).

  • When trying to kinit username
ERROR: kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials
SOLUTION: make sure KDC is running. /usr/local/sbin/krb5kdc
SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits. 2. sudo rm /var/tmp/krb5kdc_rcache.
  • Can't start krb5kdc and in auth.log it says:
ERROR: Address already in use - Cannot bind server socket to port [#] address [IP address]
ERROR: <open file '<fdopen>', mode 'rb' at 0x9a38660>
SOLUTION: 1. see if it is true that port [#] is in use by netstat -nap | grep [#] (I also did pgrep -x krb5kdc). 2. kill the process: pkill -x krb5kdc. note the "-x" is for matching exactly the process "krb5kdc".
  • When changing password 'kpasswd', Cannot contact any KDC for realm [your realm fqdn]
  • and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:
ERROR:
kadmind[6924]: No dictionary file specified, continuing without one.
kadmind[6924]: setting up network...
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0
kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::
kadmind[6924]: skipping unrecognized local address family 17
kadmind[6924]: skipping unrecognized local address family 17
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145
kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464
kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749
kadmind[6924]: set up 0 sockets
kadmind[6924]: no sockets set up?
Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.
SOLUTION:
In kdc.conf inserted the last two lines here
kdc_ports = 8888
kpasswd_port = 8887
kadmind_port = 8886
In krb5.conf modify/insert the lines:
admin_server = yourComputerName.domain:8886
kpasswd_server = yourComputerName.domain:8887
  • Purge key (kdb5_util purge_mkeys) gives an error
ERROR:
kdb5_util: Invalid argument while updating actkvno data for master principal entry
SOLUTION:
#you must activate the keys that have not been "used" like this:
kdb5_util use_mkey kvno [time]
#i.e. kdb5_util use_mkey 2 'now+2days'
  • when running a kadmin command. Runs into operation requires xx privilege error
ERROR:
$ kadmin -p haoqili/admin -w test123 -q 'listprincs'
Authenticating as principal haoqili/admin with password.
get_principals: Operation requires ``list'' privilege while retrieving list.
SOLUTION:
I didn't create my acl file yet. In kdc.conf, I have specified acl_file = /home/haoqili/kdcfiles/kadm5.acl and now I need to create the kadm5.acl
#kadm5.acl, setting up my "admin" principal with all rights, i.e. *
haoqili/admin *
Also, before I created the kadm5.acl, I used echo $? to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."
P.S. I later changed the line in my acl file to be */admin * to allow others

Python Bugs I've encountered and fixed

  • When talking to the terminal shell, a command (in my case, kdbt_util add_mkey) asks for password twice (second time is confirmation). I first tried:
p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
(out, err) = p.communicate('password')
(out2, err2) = p.communicate('password')
When I ran it, I got a chunk of error that ends with: ValueError: I/O operation on closed file. So what happens is that communicate closes the pipe, it breaks (even if it only runs once).
Solution code:
p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
p.stdin.write('password'+'\n')
p.stdin.write('password'+'\n')
Note don't forget the new line at the end.

Tips. Useful little things to know

Kerberos

  • Good link
  • kadmin.local -q 'modprinc +needchange [princname]' , the flag needchange forces the principal to change its password upon kinit.
  • kadmin.local -q 'modprinc -policy [policyname] [princname]' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.
  • There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey
  • AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile])
  • Test date. Navigate to src/kadmin/cli
    • delete 2nd argument in main of getdate.y
    • rm getdate.c
    • make getdate.c
    • gcc -o datetest -DTEST getdate.c -I../../include
    • ./datetest
  • kadmind -nofork is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.
l0b = self.parentpath+'kadmind -nofork'
pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
print "kadmind -nofork"
while (True):
l = pl0b.stderr.readline()
if l.find("starting") > -1: #for kadmind: starting ...
print l.strip()
break

Shell

The following characters have special meanings in grep or egrep:
In egrep:
| ^ $ . * + ? ( ) [ { } \
In grep:
^ $ . * \( \) [ \{ \} \
  • 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like blah 2> /dev/null puts blah's STDERR into /dev/null
  • > overwrites, >> appends
not see what's writing: ksh filename > writefilename 2>&1, the 2>&1 writes the errors as well
see what's writing: ksh filename 2>&1 | tee writefilename
  • ksh: typeset'ing vars in a function makes those vars local to the function.

Python
Common Stuff

  • Cannot do [print line for line in linelist] must have a function that prints the line, call it, printl(), and do [printl(line) for line in linelist]

More Specific Stuff

  • p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)
(out, err) = p.communicate('inputThing\n') <-- don't forget the return "\n" at the end!
  • When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:
if int(p.wait()) != 0: #meaning that it's not executed
print "error message"
exit
  • Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009
Way 1:
p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']
if int(p.wait()) != 0:
print p.stdout.readlines()
Way 2:
p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']
(out, err) = p.communicate('rest of command') #e.g. 'listprincs'
print out
  • Not type in a chunk of common code every time, i.e.
p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
This can be changed to:
s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}
p = Popen(cmd, **s)
  • For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.
p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
  • The p.stdout.readlines() can be read only once
  • Print current time in python:
from time import strftime
print "current time: "+strftime("%Y-%m-%d %H:%M:%S")
Output: current time: 2009-07-06 22:00:54
  • Sleep for 7 seconds.
import time
time.sleep(7)
  • Popen( env=blah ) this argument only needs to be specified when the environment is changing

MKM Errors Put Aside

  • Adding the 1058th master key gives a memory error
  • getdate.y has problems:
/trunk/src/kadmin/cli$ ./datetest
Enter date, or blank line to exit.
> 6 months
Sat Jan 9 14:22:36 2010
> 12/31/2009
Wed Dec 30 23:00:00 2009
> 07/10/2009
Thu Jul 9 23:00:00 2009
> 01/01/2009
Wed Dec 31 23:00:00 2008
> 01/01/2009 00:00:00
Wed Dec 31 23:00:00 2008
  • Phantom list_mkey error after adding -e aes128-cts-hmac-sha1-96. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.
for lines 283-289:
print "Testing add_mkey with aes128 enctype
=============================================="
kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF
abcde
abcde
EOF
kdb5_util list_mkeys
print "Testing add_mkey with aes128 enctype done
=============================================="
The list_mkeys at the bottom is giving the following error:
kdb5_util: Unable to decrypt latest master key with the provided master key
while getting master key list
kdb5_util: Warning: proceeding without master key list
kdb5_util: master keylist not initialized

Getting LDAP Running

Nice looking LDAP tutorial

  • (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html
  • Install BerkeleyDB
    • Download berkeleydb4.7
    • cd to folder
    • cd build_unix (on my Ubuntu)
    • ../dist/configure
    • make
    • sudo make install
  • Install Open LDAP
    • ./configure (fails)
ERROR: DBD/HDB:BerkeleyDB not available
Fixed: CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include" then export CPPFLAGS
  • ./configure
  • make depend
  • make (fails)
ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
FIXED: CPPFLAGS=-D_GNU_SOURCE then export CPPFLAGS
  • make
  • make test (takes a while)
  • sudo make install (installed in /usr/local/etc/openldap)
  • Change configuration file at /usr/local/etc/openldap/slapd.conf
  • <my-domain> <-- example
  • <com> <-- com
  • password is still "secret"
  • cn is still "Manager"
  • Start SLAPD: sudo /usr/local/libexec/slapd
    • Check if it works by a search: ldapsearch blah
  • Add entries. Consult link above.

What I should have done. Faster, simpler. Directions given by Greg Hudson. 1. sudo apt-get install slapd (for server program)
2. sudo apt-get install ldap-utils (for ldapsearch)
3. copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema
4. In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine
5. ldapsearch test:

ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
-H ldapi:/// indicate the URI for the LDAP server
-x simple authentication
-W password prompt
-D cn=Manager,dc=example,dc=com specify the "bind DN", like a username
-LLL shortens output
-b specify base of query to restrict the scope of the query

6. sudo apt-get install libldap2-dev

I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following error:

Setting up slapd (2.4.15-1ubuntu3) ...
  Creating new user openldap... done.
  Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.KSWxQODikd) failed with the following
error while running slapadd:
    str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
    slapadd: could not parse entry (line=16)
dpkg: error processing slapd (--configure):
 subprocess post-installation script returned error exit status 1
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
Errors were encountered while processing:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.

Step 5 then failed with error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It can be fixed if slapd is started more specifically: sudo /usr/local/libexec/slapd -h ldapi:///




Everything is a mess! But here are some of things I can do despite of the mess

  • Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.
    1. Kill an existing slapd: ps -ef | grep slapd and then sudo kill -9 [the left side number]
    2. Set up new slapd: sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 (667, a bigger number works, 389 a smaller number wouldn't work.
    3. Test if slapd is running by doing a search: ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret

Adding LDAP Entries

  • Then I created 2 new LDAP entries:
    • Create this file named example.ldif
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: HaoQiCompany
dc: example

dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
    • Note that the objectclass names cannot be changed, they have been predetermined
    • Add them: ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif
    • Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
      result:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: HaoQiCompany
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
  • An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword."
  • With this knowledge, I made example3.ldif
dn: cn=Zhanna Tsitkova,dc=example,dc=com
objectclass: person
cn: Zhanna
cn: Zhanna Tsitkova
sn: Tsitkova
description: kind boss
telephoneNumber: 6171231234
  • Add this entry: ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif
  • Now, the search result of all object classes look like this:
    ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: HaoQiCompany
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager

# Zhanna Tsitkova, example.com
dn: cn=Zhanna Tsitkova,dc=example,dc=com
objectClass: person
cn: Zhanna
cn: Zhanna Tsitkova
sn: Tsitkova
description: kind boss
telephoneNumber: 6171231234

# HaoQi Li, example.com
dn: cn=HaoQi Li,dc=example,dc=com
objectClass: person
cn: HaoQi
cn: HaoQi Li
sn: Li
description: happy intern
telephoneNumber: 7031231234

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4