Category: Kerberos

Leave a reply

Part 0: Multi-Master Kerberos Server with OpenLDAP Backend – Installer

Some months ago, I started to play around with OpenLDAP and Kerberos. At the beginning of my LDAP adventure, I often messed up my installation, so I ended up reinstalling everything and had to start again from scratch.

To make my life a little bit easier, I wrote a simple bash script to do the package installing in order to make the necessary changes to the config files only to the last ‘save’ point. Over the time, I added a lot of stuff and features and so the script started to accumulate. In retrospect, if I started again from the beginning, I would now use something more appropriated than bash.

Anyway, the script installs a “Multi-Master Kerberos Server with a LDAP Backend”.

Please follow the steps to try out the script on a current ubuntu or debian system (ubuntu 17.04 or debian 8). I would recommend to use a fresh system in a virtual machine.

There are some more things I will explain in further posts, once I will have the time which I do not have currently. Soooo, if you have specific questions about the script or ideas for improvement, please leave me a comment.

Disclaimer: Feel free to use this script at your own charge, I cannot be held responsible for what YOU do on YOUR administered system.

  1. Download the two files:
  2. Use md5 to check the data integrity of the downloaded file:
    user@yourbox:~$ md5sum -c LDAPX-0.4.1.tar.gz.md5
  3. Extract the file with tar:
    user@yourbox:~$ tar -zxvf LDAPX-0.4.1.tar.gz
  4. Change in the directory LDAPX:
    user@yourbox:~$ cd LDAPX
  5. Add the fully qualified domain name of the server(s) to the variable ‘LIST_OF_ALL_LDAP_MASTERS’ in ‘conf/LDAPX.conf‘. (Only necessary if you want more then one master server.)
    • Optional step: Change the password of the ldap admin (_LDAP_ADMIN_PW), the gpg password file (_GPG_FILE_PW) and the gpg user password file (_GPG_FILE_PW_USER)
      (Leave it blank to enter them during the installation)
  6. Optional step: In the file ‘conf/LDAPX.tls.conf’ change the values of TLS_CA_LOCALITY/TLS_CA_STATE/TLS_CA_COUNTRYCODE/
  7. Become root with the command:
    user@yourbox:~$ sudo su
  8. Important: Add the fully qualified domain name of the server(s) to ‘/etc/hosts‘.
  9. Make the two scripts executable with:
    root@yourbox:/home/user/LDAPX# chmod +x
    root@yourbox:/home/user/LDAPX# chmod +x
  10. Run the script:
    root@yourbox:/home/user/LDAPX# ./
  11. Start the installation process with the menu item ‘Install first master server’
  12. You can find some more information in the file: ‘backup/
  13. Test the setup:
    • kinit
      1. Use kinit to request a kerberos ticket:
        root@yourbox:/home/user/LDAPX# kinit doejo
      2. The default password for user doejo is ‘winter2014#’
      3. Use klist to list your cached Kerberos ticket.
    • ssh
      1. ssh to yourbox with:
        ssh doejo@yourbox
      2. Use your new password or ‘winter2014#’ if you did not change it above.
      3. Use klist to list your cached Kerberos ticket.
      4. Try to become root with doejo@yourbox:~# sudo su -

Leave a reply

Cannot contact any KDC for requested…

If you get this error message while you try to change your Kerberos password and your running server system is virtualized, you may have an entropy shortage issue which will lead to a timeout.
Linux operating systems serve random numbers using special files, /dev/random and /dev/urandom. The pool of random bits of these files will exhaust very fast in virtualized systems without hardware entropy from keyboard, mouse or actuality hardware entropy generators.
One possible solution is to install the haveged entropy deamon. This daemon will provide you with unpredictable random numbers.

For ubuntu or debian: use the following command to install the daemon.

apt-get install haveged

After the daemon is running you can issue the kinit command again. To get some more debug information write it to stdout with KRB5_TRACE=/dev/stdout in front of kinit.

KRB5_TRACE=/dev/stdout kinit username