| Summary: | kcontrol-ldap-controller-trinity is unable to complete config wizard | ||
|---|---|---|---|
| Product: | TDE | Reporter: | Martin Hodges <martinhodges479> |
| Component: | other (any) | Assignee: | Timothy Pearson <kb9vqf> |
| Status: | NEEDINFO --- | ||
| Severity: | major | CC: | bugwatch, kb9vqf, martinhodges479 |
| Priority: | P5 | ||
| Version: | R14.0.x [Trinity] | ||
| Hardware: | amd64 | ||
| OS: | Debian Wheezy | ||
| Compiler Version: | TDE Version String: | ||
| Application Version: | Application Name: | ||
| Attachments: |
Screenshot
Console output from running ldap_controller. |
||
Can you please try launching the TDEControl module from the command line with this command: tdecmshell ldapmanager and post the output after you receive the failure message? This will contain much more debugging information than the error message. Thanks! Tim Created attachment 1513 [details]
Console output from running ldap_controller.
As you can see from the attachment, it now runs. The tdelibs and the kcontrol modules had been updated between the original report and the new test run. (In reply to comment #3) > As you can see from the attachment, it now runs. The tdelibs and the kcontrol > modules had been updated between the original report and the new test run. Sorry about the incorrect kcontrol module name above, it looks like you found the correct one despite my mistake. :-) So the LDAP controller kcontrol module now works properly? If so, should this bug report be closed? Thanks! Agreed. Some more documentation on what the wizard does would be nice and the descriptions in the deb packaging for all three LDAP/Heimdal control modules are also a bit misleading. Misleading how? I would like to correct this. :-) Thanks! A first time user needs a bit more help from the description texts. kcontrol-ldap-controller-trinity seems to do a lot more than configure the LDAP realm controller. There is no indication that this needs to be run first. I would suggest to change the description to:- This is a TDE control center module to set up and maintain a LDAP Realm Controller with Kerberos authentication. Does the Trinity LDAP format correspond to any norm? If so it would be worth mentioning. The kcontrol-ldap-manager-trinity package also has LDAP in the title but only mentions Kerberos in the Description. ? I would at least mention LDAP in the description. Does it have any limitations such that it can only be used with the TDE LDAP realm? The third kcontrol module seems to conflict with the controller. Description: This is a TDE control center module to manage TDE connections to Kerberos realms. I still do not understand what it is for. Having tried the bonding module, I assume it is the module used to 'sign' a machine into a kerberos realm. Unfortunately, it does not work. Not neccessarily the fault of the module. I cannot get kadmin to work on the heimdal kdc. It crashes silently after asking for the adminitration principle's password. Debian Wheezy. There are a handful of known issues with OpenLDAP on Wheezy; I have rebuilt the openldap package with crash fixes here: https://quickbuild.pearsoncomputing.net/~trinity/+archive/openldap Can you try those packages to see if they resolve the issue? Also, proper tine sync (NTP) and DNS (forward and reverse) on all machines (i.e. both client(s) and server(s)), are critical to Kerberos and OpenLDAP functionality. I assume this infrastructure is already in place and functional? Thanks! (In reply to comment #9) > There are a handful of known issues with OpenLDAP on Wheezy; I have rebuilt the > openldap package with crash fixes here: > https://quickbuild.pearsoncomputing.net/~trinity/+archive/openldap > > Can you try those packages to see if they resolve the issue? > > Also, proper tine sync (NTP) and DNS (forward and reverse) on all machines > (i.e. both client(s) and server(s)), are critical to Kerberos and OpenLDAP > functionality. I assume this infrastructure is already in place and > functional? > > Thanks! That should read "time sync" above, not "tine sync". The updated Openldap packages did not help unfortunately. kadmin, when run from a root prompt on the kdc machine with - >kadmin -p openldap/admin just silently crashes after I enter the password. >kadmin -l runs fine. where openldap/admin is a valid user and is listed in the /etc/heimdal-kdc/kadmind.acl file with a line openldap/admin@HEMMAT.NO all,get-keys Try some more poking around at the weekend. Running kadmin without -l with a valid principle starts kadmin. Executing a command for example 'list -s *' results in a password request, a correct password entry results in an error message- kadmin: kadm5_get_principals: write: Broken pipe Do the trinity LDAP management modules use the same communication path? martin@nusse:~$ ldapsearch -d 1 -v -H ldaps://nede1
ldap_url_parse_ext(ldaps://nede1)
ldap_initialize( ldaps://nede1:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://nede1:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP nede1:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.12.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
This is output from a client which I can not get the bonding module to work with. The output obtained with the same command run from the server is more regular.
|
Created attachment 1510 [details] Screenshot The component in kcontrol seems to start correctly. The Administrator mode starts correctly seemingly via the sudo window (which has KdeSudo as the window title) Choosing 'Primary Realm controller' from the drop down starts the wizard. Having filled in the pages of the wizard using mostly the default settings and clicking 'Finish' prduces many good signs but the process stops with the attached screenshot window. kadmin -l starts without problem but the only listed principle is the name entered in the last page of the wizard. It would seem that the 'init' command has not been used. Does the admin account have to have the form name/admin? I am not well versed in either kerberos or LDAP but I can follow instructions and report back.