Re: Re: nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]

The previous files relied on SFU having been applied. This already had PosixGroup defined which is what is being referenced.

I will have to see if I can find the virgin file. But if you replace the PosixGroup and PosixAccount entries with this in the ldif it should get round this problem. You should also remove the SFU entry references and any uses of their OIDs from the file. I would do this for you but I am in a rush today.

dn: CN=PosixGroup,CN=Schema,CN=Configuration,dc=REPLACEME
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: posixGroup
adminDisplayName: posixGroup
adminDescription: Abstraction of a group of accounts
governsId: 1.3.6.1.1.1.2.2
objectClassCategory: 3
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
mayContain: memberUid
mayContain: gidNumber
mayContain: Description
mayContain: unixUserPassword
mayContain: userPassword
mayContain: cn
schemaIdGuid:: uFCTKiwG0E6ZA93hDQbeug==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=PosixGroup,CN=Schema,CN=Configuration,dc=REPLACEME

dn: CN=PosixAccount,CN=Schema,CN=Configuration,dc=REPLACEME
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: posixAccount
adminDisplayName: posixAccount
adminDescription: Abstraction of an account with posix attributes
governsId: 1.3.6.1.1.1.2.0
objectClassCategory: 3
rdnAttId: 0.9.2342.19200300.100.1.1
subClassOf: 2.5.6.0
mayContain: Description
mayContain: gecos
mayContain: loginShell
mayContain: unixUserPassword
mayContain: userPassword
mayContain: homeDirectory
mayContain: UnixHomeDirectory
mayContain: gidNumber
mayContain: uidNumber
mayContain: cn
mayContain: uid
schemaIdGuid:: QbtErdVniE21dXsgZ0522A==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=PosixAccount,CN=Schema,CN=Configuration,dc=REPLACEME

Markus Moeller wrote:

Howard,

 

sorry to bother you with this, but the ldif didn't work on my 2003 SP1 server. I didn't use SFU so I skipped the Fix difs and only used w2k3-r2-rfc2307.ldif. When I run it I get the below error. 

 

50: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
Entry DN: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
Entry modified successfully.

 

51: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
Entry DN: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
Entry modified successfully.

 

52: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
Entry DN: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
Add error on line 852: Unwilling To Perform

 

The server side error is: 0x20c5 Schema update failed: class in aux-class list does not exist or is not an auxiliary class.

The extended server error is:

000020C5: SvcErr: DSID-03260249, problem 5003 (WILL_NOT_PERFORM), data 8389

 

51 entries modified successfully.

An error has occurred in the program

 

 

 

It is this part of the dif file:

 

dn: CN=Group,CN=Schema,CN=Configuration,DC=WINDOWS2003,DC=HOME
changetype: ntdsSchemaModify
add: auxiliaryClass
auxiliaryClass: 1.3.6.1.1.1.2.2

I used ldifde -i -f filename (after changing DC=VAS,DC=DEV to DC=WINDOWS2003,DC=HOME)

 

Thanks

Markus

 

 

BTW I run in vmware and did a snapshot before running ldifde

----- Original Message -----

From: Howard Wilkinson

To: huaraz@xxxxxxxxxxxxxxxx

Cc: nssldap@xxxxxxxx

Sent: Monday, September 18, 2006 11:49 AM

Subject: Re: [nssldap] Re: nss_ldap using sasl with gssapi. Kerberos credentials cache problem[Scanned]

Markus,

you need "w2k3-r2-rfc2307.ldif" to add the schema items to a W2K0 or W2K3 schema.

You may need the FixSFU files if you have installed SFU on the system at any time in the past, these move SFU schema definitions out of the way before applying the w2k3 upgrade.

Check that your schema is compatible before applying this. You must run these updates separately and allow time for the forest to converge before applying the next one.

A patch inside the nss library would not do what I wanted. I needed to use keytabs that could not be read by the executing user to generate credential caches that could.

I have submitted a later patch to the bugzilla @ padl.com that allows the use of a central ccache if readable otherwise it will use the KRB5CCNAME environment or the local users credentials. This has allowed me to Kerberos enable some daemons which use the nss_ldap to get names of mailbox users for example.

Howard.

--

Howard Wilkinson	Phone:	+44(20)76907075
Coherent Technology Limited	Fax:
23 Northampton Square,	Mobile:	+44(7980)639379
London, United Kingdom, EC1V 0HL	Email:	howard@xxxxxxxxxxx