User talk:Haoqili
Thanks to Tom, Zhanna, Greg, and Will for helping me find the solutions.
Contents
Things to do
- can't restart an ldap server!
Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).
- When trying to kinit username
- ERROR: kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials
- SOLUTION: make sure KDC is running. /usr/local/sbin/krb5kdc
- SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits. 2. sudo rm /var/tmp/krb5kdc_rcache.
- Can't start krb5kdc and in auth.log it says:
- ERROR: Address already in use - Cannot bind server socket to port [#] address [IP address]
- ERROR: <open file '<fdopen>', mode 'rb' at 0x9a38660>
- SOLUTION: 1. see if it is true that port [#] is in use by netstat -nap | grep [#] (I also did pgrep -x krb5kdc). 2. kill the process: pkill -x krb5kdc. note the "-x" is for matching exactly the process "krb5kdc".
- When changing password 'kpasswd', Cannot contact any KDC for realm [your realm fqdn]
- and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:
- ERROR:
- kadmind[6924]: No dictionary file specified, continuing without one.
- kadmind[6924]: setting up network...
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0
- kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::
- kadmind[6924]: skipping unrecognized local address family 17
- kadmind[6924]: skipping unrecognized local address family 17
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145
- kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
- kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464
- kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749
- kadmind[6924]: set up 0 sockets
- kadmind[6924]: no sockets set up?
- Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.
- SOLUTION:
- In kdc.conf inserted the last two lines here
- kdc_ports = 8888
- kpasswd_port = 8887
- kadmind_port = 8886
- In krb5.conf modify/insert the lines:
- admin_server = yourComputerName.domain:8886
- kpasswd_server = yourComputerName.domain:8887
- Purge key (kdb5_util purge_mkeys) gives an error
- ERROR:
- kdb5_util: Invalid argument while updating actkvno data for master principal entry
- SOLUTION:
- #you must activate the keys that have not been "used" like this:
- kdb5_util use_mkey kvno [time]
- #i.e. kdb5_util use_mkey 2 'now+2days'
- when running a kadmin command. Runs into operation requires xx privilege error
- ERROR:
- $ kadmin -p haoqili/admin -w test123 -q 'listprincs'
- Authenticating as principal haoqili/admin with password.
- get_principals: Operation requires ``list'' privilege while retrieving list.
- SOLUTION:
- I didn't create my acl file yet. In kdc.conf, I have specified acl_file = /home/haoqili/kdcfiles/kadm5.acl and now I need to create the kadm5.acl
- #kadm5.acl, setting up my "admin" principal with all rights, i.e. *
- haoqili/admin *
- Also, before I created the kadm5.acl, I used echo $? to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."
- P.S. I later changed the line in my acl file to be */admin * to allow others
Python Bugs I've encountered and fixed
- When talking to the terminal shell, a command (in my case, kdbt_util add_mkey) asks for password twice (second time is confirmation). I first tried:
- p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- (out, err) = p.communicate('password')
- (out2, err2) = p.communicate('password')
- When I ran it, I got a chunk of error that ends with: ValueError: I/O operation on closed file. So what happens is that communicate closes the pipe, it breaks (even if it only runs once).
- Solution code:
- p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- p.stdin.write('password'+'\n')
- p.stdin.write('password'+'\n')
- Note don't forget the new line at the end.
Tips. Useful little things to know
Kerberos
- Good link
- kadmin.local -q 'modprinc +needchange [princname]' , the flag needchange forces the principal to change its password upon kinit.
- kadmin.local -q 'modprinc -policy [policyname] [princname]' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.
- There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey
- AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile])
- Test date. Navigate to src/kadmin/cli
- delete 2nd argument in main of getdate.y
- rm getdate.c
- make getdate.c
- gcc -o datetest -DTEST getdate.c -I../../include
- ./datetest
- kadmind -nofork is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.
- l0b = self.parentpath+'kadmind -nofork'
- pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- print "kadmind -nofork"
- while (True):
- l = pl0b.stderr.readline()
- if l.find("starting") > -1: #for kadmind: starting ...
- print l.strip()
- break
Shell
- The following characters have special meanings in grep or egrep:
- In egrep:
- | ^ $ . * + ? ( ) [ { } \
- In grep:
- ^ $ . * \( \) [ \{ \} \
- 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like blah 2> /dev/null puts blah's STDERR into /dev/null
- > overwrites, >> appends
- not see what's writing: ksh filename > writefilename 2>&1, the 2>&1 writes the errors as well
- see what's writing: ksh filename 2>&1 | tee writefilename
- ksh: typeset'ing vars in a function makes those vars local to the function.
Python
Common Stuff
- Cannot do [print line for line in linelist] must have a function that prints the line, call it, printl(), and do [printl(line) for line in linelist]
More Specific Stuff
- p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)
- (out, err) = p.communicate('inputThing\n') <-- don't forget the return "\n" at the end!
- When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:
- if int(p.wait()) != 0: #meaning that it's not executed
- print "error message"
- exit
- Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009
- Way 1:
- p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']
- if int(p.wait()) != 0:
- print p.stdout.readlines()
- Way 2:
- p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']
- (out, err) = p.communicate('rest of command') #e.g. 'listprincs'
- print out
- Not type in a chunk of common code every time, i.e.
- p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
- This can be changed to:
- s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}
- p = Popen(cmd, **s)
- For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.
- p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
- The p.stdout.readlines() can be read only once
- Print current time in python:
- from time import strftime
- print "current time: "+strftime("%Y-%m-%d %H:%M:%S")
- Output: current time: 2009-07-06 22:00:54
- Sleep for 7 seconds.
- import time
- time.sleep(7)
- Popen( env=blah ) this argument only needs to be specified when the environment is changing
MKM Errors Put Aside
- Adding the 1058th master key gives a memory error
- getdate.y has problems:
- /trunk/src/kadmin/cli$ ./datetest
- Enter date, or blank line to exit.
- > 6 months
- Sat Jan 9 14:22:36 2010
- > 12/31/2009
- Wed Dec 30 23:00:00 2009
- > 07/10/2009
- Thu Jul 9 23:00:00 2009
- > 01/01/2009
- Wed Dec 31 23:00:00 2008
- > 01/01/2009 00:00:00
- Wed Dec 31 23:00:00 2008
- Phantom list_mkey error after adding -e aes128-cts-hmac-sha1-96. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.
- for lines 283-289:
- print "Testing add_mkey with aes128 enctype
- =============================================="
- kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF
- abcde
- abcde
- EOF
- kdb5_util list_mkeys
- print "Testing add_mkey with aes128 enctype done
- =============================================="
- The list_mkeys at the bottom is giving the following error:
- kdb5_util: Unable to decrypt latest master key with the provided master key
- while getting master key list
- kdb5_util: Warning: proceeding without master key list
- kdb5_util: master keylist not initialized
Getting LDAP Running
- (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html
- Install BerkeleyDB
- Download berkeleydb4.7
- cd to folder
- cd build_unix (on my Ubuntu)
- ../dist/configure
- make
- sudo make install
- Install Open LDAP
- ./configure (fails)
- ERROR: DBD/HDB:BerkeleyDB not available
- Fixed: CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include" then export CPPFLAGS
- ./configure
- make depend
- make (fails)
- ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
- FIXED: CPPFLAGS=-D_GNU_SOURCE then export CPPFLAGS
- make
- make test (takes a while)
- sudo make install (installed in /usr/local/etc/openldap)
- Change configuration file at /usr/local/etc/openldap/slapd.conf
- <my-domain> <-- example
- <com> <-- com
- password is still "secret"
- cn is still "Manager"
- Start SLAPD: sudo /usr/local/libexec/slapd
- Check if it works by a search: ldapsearch blah
- Add entries. Consult link above.
What I should have done. Faster, simpler. Directions given by Greg Hudson.
1. sudo apt-get install slapd (for server program)
2. sudo apt-get install ldap-utils (for ldapsearch)
3. copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema
4. In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine
5. ldapsearch test:
- ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
- -H ldapi:/// indicate the URI for the LDAP server
- -x simple authentication
- -W password prompt
- -D cn=Manager,dc=example,dc=com specify the "bind DN", like a username
- -LLL shortens output
- -b specify base of query to restrict the scope of the query
- ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
6. sudo apt-get install libldap2-dev
I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following
ERROR:
$ sudo apt-get install slapd Reading package lists... Done Building dependency tree Reading state information... Done slapd is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 169 not upgraded. 1 not fully installed or removed. After this operation, 0B of additional disk space will be used. Setting up slapd (2.4.15-1ubuntu3) ... Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.FZDOiAlAPo) failed with the following error while running slapadd: str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=16) dpkg: error processing slapd (--configure): subprocess post-installation script returned error exit status 1 Errors were encountered while processing: slapd E: Sub-process /usr/bin/dpkg returned an error code (1)
It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.
SOLUTION: I fixed this error by removing a slapd to avoid conflicts in the slapd already installed from source: sudo apt-get remove slapd
Note how in the top of the error it says that whatever I was installing "is already the newest version", but there was the rest of the stuff because of the slapd conflict.
Step 5 then failed with error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It can be fixed if slapd is started more specifically: sudo /usr/local/libexec/slapd -h ldapi:///
Everything is a mess! But here are some of things I can do despite of the mess
- Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.
- Kill an existing slapd:
ps -ef | grep slapd
and thensudo kill -9 [the left side number]
- Set up new slapd:
sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667
(667, a bigger number works, 389 a smaller number wouldn't work. - Test if slapd is running by doing a search:
ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret
- Kill an existing slapd:
Adding LDAP Entries
- Then I created 2 new LDAP entries:
- Create this file named
example.ldif
- Create this file named
dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: HaoQiCompany dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager
- Note that the objectclass names cannot be changed, they have been predetermined
- Add them:
ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif
- Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
- result:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: HaoQiCompany dc: example # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
- An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword."
- I ran into some errors when I followed the examples for adding "person" on some websites because they included a "title" entry, which is not allowed
- Here is where I learned which entries are allowed
- With this knowledge, I made
example3.ldif
dn: cn=Zhanna Tsitkova,dc=example,dc=com objectclass: person cn: Zhanna cn: Zhanna Tsitkova sn: Tsitkova description: kind boss telephoneNumber: 6171231234
- Add this entry:
ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif
- Now, the search result of all object classes look like this:
ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: HaoQiCompany dc: example # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager # Zhanna Tsitkova, example.com dn: cn=Zhanna Tsitkova,dc=example,dc=com objectClass: person cn: Zhanna cn: Zhanna Tsitkova sn: Tsitkova description: kind boss telephoneNumber: 6171231234 # HaoQi Li, example.com dn: cn=HaoQi Li,dc=example,dc=com objectClass: person cn: HaoQi cn: HaoQi Li sn: Li description: happy intern telephoneNumber: 7031231234 # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4
- Search for just "person" object class:
ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=person)'
- Search for just "person" object class:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=person) # requesting: ALL # # Zhanna Tsitkova, example.com dn: cn=Zhanna Tsitkova,dc=example,dc=com objectClass: person cn: Zhanna cn: Zhanna Tsitkova sn: Tsitkova description: kind boss telephoneNumber: 6171231234 # HaoQi Li, example.com dn: cn=HaoQi Li,dc=example,dc=com objectClass: person cn: HaoQi cn: HaoQi Li sn: Li description: happy intern telephoneNumber: 7031231234 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
- Search for just one entry:
ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' 'cn=HaoQi'
. Note that the "cn=HaoQi" is not in the first set of single quotes.
- Search for just one entry:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: cn=HaoQi # requesting: ALL # # HaoQi Li, example.com dn: cn=HaoQi Li,dc=example,dc=com objectClass: person cn: HaoQi cn: HaoQi Li sn: Li description: happy intern telephoneNumber: 7031231234 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1