From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1ENueu-0007tk-S2
	for garchives@archives.gentoo.org; Fri, 07 Oct 2005 16:01:21 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j97FpBGX001655;
	Fri, 7 Oct 2005 15:51:11 GMT
Received: from easycgi.com (mail.easycgi.com [66.245.177.160])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j97FpACD002017
	for <gentoo-server@lists.gentoo.org>; Fri, 7 Oct 2005 15:51:10 GMT
Received: from [68.89.14.73] (HELO grandpa)
  by easycgi.com (CommuniGate Pro SMTP 4.2.3)
  with ESMTP id 28984872 for gentoo-server@lists.gentoo.org; Fri, 07 Oct 2005 12:00:21 -0400
From: Robert Larson <robert@sixthings.com>
Organization: SixThings Inc.
To: gentoo-server@lists.gentoo.org
Subject: [gentoo-server] Heimdal kerberos issue after openldap upgrade
Date: Fri, 7 Oct 2005 10:59:57 -0500
User-Agent: KMail/1.8.1
Precedence: bulk
List-Post: <mailto:gentoo-server@lists.gentoo.org>
List-Help: <mailto:gentoo-server+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-server+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-server+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-server.gentoo.org>
X-BeenThere: gentoo-server@gentoo.org
Reply-to: gentoo-server@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200510071059.57572.robert@sixthings.com>
X-Archives-Salt: 52041376-7971-450e-b68b-c53f0c7afec2
X-Archives-Hash: cb2a919b362cefdd9e4f207be6f5264d

Hello!

I'm running a gentoo authentication server utilizing heimdal-kerberos, 
cyrus-sasl, and openldap.  This setup has been running for roughly six months 
without problems, until an openldap upgrade rendered my kerberos 
implementation useless.

I recently (early last month) made the following upgrade:
openldap-2.1.30-r5
-to-
openldap-2.2.28

I began by uninstalling the first instance, then installing the second 
instance.  I had a slapcat copy of the DB, so I moved the original databases 
to a backup, performed a slapadd, and reset all of the file permissions.  
Upon the slapadd, I received an error stating that the configuration was 
broken.

Upon looking into it, it was erroring out due to the "password-hash 
{CLEARTEXT}" option.  I commented this out, it appears to be working now.

I can execute searches and adds, but for some reason this upgrade has caused 
kerberos to begin having problems.  When I try kinit, I receive this in 
syslog:
[kdc] UNKNOWN -- user@MYREALM: Wrong database version

I try the following:
# kadmin -l
kadmin> list *
kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
kadmin: kadm5_get_principals: Wrong database version
kadmin>

I had followed the steps in the ebuild for openldap, and it seems to me like 
this might be a problem with heimdal-kerberos, but I am not sure.  I suppose 
it could even be a problem with cyrus-sasl.

Any help or suggestions would be appreciated,

Robert
-- 
gentoo-server@gentoo.org mailing list