kdb5_util转储给服务器错误
问题描述:
我一直在试图倾倒我Kerberos数据库使用kdb5_util转储(文件名)(LDAP后端),但我得到:kdb5_util转储给服务器错误
kdb5_util load_dump version 6
kdb5_util: error performing Kerberos version 5 release 1.8 dump (Server error)
policy default 0 0 1 1 1 0 0 0 0
的Kerberos KDC和日志的kadmin无关,ldap.log给出 5月31日12:40:17 kdc slapd [28020]:connection_input:conn = 1091推迟操作:绑定
一切工作正常,创建,删除,校长认证,没问题。只是倾销数据库失败。据我所知,后端不应该对转储有任何影响。
任何想法,我可以调试或解决这个问题?我错过了什么?
的/etc/krb5.conf
[libdefaults]
default_realm = REALM.EXAMPLE.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
REALM.EXAMPLE.COM = {
kdc = kdc.realm.example.com
admin_server = kdc.realm.example.com
kpasswd_server = kdc.realm.example.com
}
[domain_realm]
.realm.example.com = REALM.EXAMPLE.COM
/etc/krb5kdc/kdc.conf
[realms]
REALM.EXAMPLE.COM = {
default_domain = realm.example.com
database_module = ldapconf
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/.master
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts-hmac-sha1-96:normal
#aes128-cts-hmac-sha1-96:normal arcfour-hmac:normal
default_principal_flags = +preauth
pkinit_identity = FILE:/etc/krb5kdc/kdc-cert.pem,/etc/krb5kdc/.kdc-key.pem
pkinit_anchors = FILE:/etc/krb5kdc/ca-cert.pem
dict_file = /root/bad_passwords.dict
}
[dbmodules]
ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=kerberos,dc=realm,dc=example,dc=com"
ldap_kdc_dn = "cn=kerberos-kdc,dc=realm,dc=example,dc=com"
ldap_kadmind_dn = "cn=kerberos-admin,dc=realm,dc=example,dc=com"
ldap_servers = ldapi:///
ldap_service_password_file = /etc/krb5kdc/.service
}
[logging]
kdc = FILE:/var/log/kerberos/kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/kerberos.log
答
在最后调试后发现了问题:
的LDAP后端有一个硬搜索请求的大小限制为500。有501位用户在背后咬我!
修复:
#
# remove sizelimit for ldap search
#
# apply with ldapmodify -Y EXTERNAL -H ldapi:/// -f sizelimit.ldif
#
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=kerberos-admin,dc=realm,dc=example,dc=com" size=unlimited
应用,重启slapd的,并转储兴高采烈地走了
发现了这个问题,在最后: 的LDAP后端有500搜索请求硬盘大小限制。有501位用户在背后咬我! 修复: – Kestrel