Micro dong
2017-09-20 09:59:03 UTC
Hi,
I am trying to install a KDC with an OpenLDAP backend, following
instructions found on the MIT kerberos site. Installation went fine and I
can see that the default principals have been created.
However, I cannot add new principals :
kadmin.local -q "addprinc -randkey test001"
Authenticating as principal root/***@HADOOP.COM with password.
WARNING: no policy specified for ***@HADOOP.COM; defaulting to no policy
add_principal: Principal add failed: Insufficient access while
creating "***@HADOOP.COM".
And my acl in openldap is:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
# Providing access to realm container
access to dn.subtree="cn=HADOOP.COM,cn=kerberos,dc=xitong,dc=qh,dc=com"
by dn.exact="uid=krb5kdc,cn=krbcontainer,dc=xitong,dc=qh,dc=com" write
by dn.exact="uid=kadmind,cn=krbcontainer,dc=xitong,dc=qh,dc=com" write
by * none
access to *
by * read
Any help would be highly appreciated.
*Best regards*
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
I am trying to install a KDC with an OpenLDAP backend, following
instructions found on the MIT kerberos site. Installation went fine and I
can see that the default principals have been created.
However, I cannot add new principals :
kadmin.local -q "addprinc -randkey test001"
Authenticating as principal root/***@HADOOP.COM with password.
WARNING: no policy specified for ***@HADOOP.COM; defaulting to no policy
add_principal: Principal add failed: Insufficient access while
creating "***@HADOOP.COM".
And my acl in openldap is:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
# Providing access to realm container
access to dn.subtree="cn=HADOOP.COM,cn=kerberos,dc=xitong,dc=qh,dc=com"
by dn.exact="uid=krb5kdc,cn=krbcontainer,dc=xitong,dc=qh,dc=com" write
by dn.exact="uid=kadmind,cn=krbcontainer,dc=xitong,dc=qh,dc=com" write
by * none
access to *
by * read
Any help would be highly appreciated.
*Best regards*
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev