您的位置: 首页  >  技术问答  >  kdb5_util转储给服务器错误

kdb5_util转储给服务器错误

分类: 技术问答 2022-06-15 18:30:12
问题描述:

我一直在试图倾倒我Kerberos数据库使用kdb5_util转储(文件名)(LDAP后端),但我得到:kdb5_util转储给服务器错误

kdb5_util load_dump version 6 
kdb5_util: error performing Kerberos version 5 release 1.8 dump (Server error) 
policy default 0  0  1  1  1  0  0  0  0

的Kerberos KDC和日志的kadmin无关,ldap.log给出 5月31日12:40:17 kdc slapd [28020]:connection_input:conn = 1091推迟操作:绑定

一切工作正常,创建,删除,校长认证,没问题。只是倾销数据库失败。据我所知,后端不应该对转储有任何影响。

任何想法,我可以调试或解决这个问题?我错过了什么?

的/etc/krb5.conf

[libdefaults] 
     default_realm = REALM.EXAMPLE.COM 
     kdc_timesync = 1 
     ccache_type  = 4 
     forwardable  = true 
     proxiable  = true 

[realms] 
     REALM.EXAMPLE.COM = { 
       kdc    = kdc.realm.example.com 
       admin_server = kdc.realm.example.com 
       kpasswd_server = kdc.realm.example.com 
     } 

[domain_realm] 
     .realm.example.com = REALM.EXAMPLE.COM

/etc/krb5kdc/kdc.conf

[realms] 
    REALM.EXAMPLE.COM = { 
     default_domain = realm.example.com 
     database_module = ldapconf 

     acl_file  = /etc/krb5kdc/kadm5.acl 
     key_stash_file = /etc/krb5kdc/.master 

     max_life  = 10h 0m 0s 
     max_renewable_life = 7d 0h 0m 0s 

     master_key_type   = aes256-cts 
     supported_enctypes  = aes256-cts-hmac-sha1-96:normal 
#aes128-cts-hmac-sha1-96:normal arcfour-hmac:normal 
     default_principal_flags = +preauth 

     pkinit_identity = FILE:/etc/krb5kdc/kdc-cert.pem,/etc/krb5kdc/.kdc-key.pem 
     pkinit_anchors = FILE:/etc/krb5kdc/ca-cert.pem 

     dict_file  = /root/bad_passwords.dict 
    } 

[dbmodules] 
     ldapconf = { 
       db_library     = kldap 
       ldap_kerberos_container_dn = "cn=kerberos,dc=realm,dc=example,dc=com" 
       ldap_kdc_dn    = "cn=kerberos-kdc,dc=realm,dc=example,dc=com" 
       ldap_kadmind_dn   = "cn=kerberos-admin,dc=realm,dc=example,dc=com" 
       ldap_servers    = ldapi:/// 
       ldap_service_password_file = /etc/krb5kdc/.service 
    } 
[logging] 
kdc   = FILE:/var/log/kerberos/kdc.log 
admin_server = FILE:/var/log/kerberos/kadmin.log 
default  = FILE:/var/log/kerberos/kerberos.log
+0

发现了这个问题,在最后: 的LDAP后端有500搜索请求硬盘大小限制。有501位用户在背后咬我! 修复: – Kestrel

在最后调试后发现了问题:

的LDAP后端有一个硬搜索请求的大小限制为500。有501位用户在背后咬我!

修复:

# 
# remove sizelimit for ldap search 
# 
# apply with ldapmodify -Y EXTERNAL -H ldapi:/// -f sizelimit.ldif 
# 
dn: olcDatabase={1}hdb,cn=config 
changetype: modify 
add: olcLimits 
olcLimits: dn.exact="cn=kerberos-admin,dc=realm,dc=example,dc=com" size=unlimited

应用,重启slapd的,并转储兴高采烈地走了

相关推荐