kerberos+ldap配置问题求解！！

jy02107028

各位大牛，小弟刚接触ldap，想存储kerberos用户，配置好后用kerberos无法写入数据到ldap，求解！！部分配置如下

sldap.conf:

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"
rootpw          123456
directory       /var/lib/ldap
index krbPrincipalName                  eq,pres,sub



krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
  database_module = openldap_ldapconf
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com

[dbmodules]
openldap_ldapconf = {
  db_library = kldap
  ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
  ldap_kdc_dn = "cn=admin,ou=krb5,dc=example,dc=com"
  ldap_kadmind_dn = "cn=admin,ou=krb5,dc=example,dc=com"
  ldap_service_password_file = /etc/kerberos/service.keyfile
  ldap_servers = ldap://test2.example.com
  ldap_conns_per_server = 5
}


启动都是正常的，kdc上也能看数据:
kadmin.local      
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  listprincs
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kerberos.example.com@EXAMPLE.COM
对应ldap数据:
# K/M@EXAMPLE.COM, EXAMPLE.COM, krb5, example.com
dn: krbPrincipalName=K/M@EXAMPLE.COM,cn=EXAMPLE.COM,ou=krb5,dc=example,dc=com
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 64
krbPrincipalName: K/M@EXAMPLE.COM
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MF2gAwIBAaEDAgEBogMCAQGjAwIBAKRHMEUwQ6FBMD+gAwIBEKE4BDYYANNu
hVzHQ9szgEljpeeKj/uJR/pQncr1+ecYAtfAjfG7BCJG4+XGsyWLwscMORIfyHwc54g=
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAJAFp9QZGJfY3JlYXRpb25ARVhBTVBMRS5DT00A
krbExtraData:: AAcBAAIAAisAAAAAAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

# krbtgt/EXAMPLE.COM@EXAMPLE.COM, EXAMPLE.COM, krb5, example.com
dn: krbPrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM,cn=EXAMPLE.COM,ou=krb5,dc=
example,dc=com
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 0
krbPrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBx6ADAgEBoQMCAQGiAwIBAaMDAgEApIIBrzCCAaswS6FJMEegAwIBEqFA
BD4gAEvL5fU71+daL5Lch4dlM9CeTi4iX0M42CQ6UI26ATmD+EnYyTXKaZFZYWWBrEN5kFPG+2Q+a
vD2TCZF6DA7oTkwN6ADAgERoTAELhAA/ua/8YOisdYlNOE6cdqWowJRo2Nd7poQDea7HaqbV4Fgta
86GVJbxCkVLzMwQ6FBMD+gAwIBEKE4BDYYAMN9uik6+ZNyT9pWgfunaCrpMlyH90Rm6VN0QxypoCe
+oYq0hHrQOizv0f6bvSu9vKVHnDUwO6E5MDegAwIBF6EwBC4QAMwVy0xujDDjpEQ1SbpDi0e6IqIr
jeTjlNm5ENC/uFuZKB/IxB6iKjf83nIdMDOhMTAvoAMCAQihKAQmCACfVSm2pdmQKZ7DqFgsPiBPK
YxWwk/K6S0LkuqRxXYncUpjdv8wM6ExMC+gAwIBA6EoBCYIAEP2dr89phY1mfD41nvHvUkDD8UFrK
QbMpOjkd99IhTfPeKK6DAzoTEwL6ADAgEBoSgEJggA0P7N6jKvlbMAzdjon4viOTH1cnwb7LlrMMY
M1DLnat39h+zS
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAJAFp9QZGJfY3JlYXRpb25ARVhBTVBMRS5DT00A
krbExtraData:: AAcBAAIAAisAAAAAAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

# kadmin/admin@EXAMPLE.COM, EXAMPLE.COM, krb5, example.com
dn: krbPrincipalName=kadmin/admin@EXAMPLE.COM,cn=EXAMPLE.COM,ou=krb5,dc=exampl
e,dc=com
krbMaxTicketLife: 10800
krbMaxRenewableAge: 0
krbTicketFlags: 4
krbPrincipalName: kadmin/admin@EXAMPLE.COM
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBx6ADAgEBoQMCAQGiAwIBAaMDAgEApIIBrzCCAaswS6FJMEegAwIBEqFA
BD4gAIBpXDcdZTiqatH7GYZ2mcYgKZsthhJpRVT2YaToRYXrTghzQH4LQBqWvYIWjXFtIJ+9KyPxo
yLL6k2dbTA7oTkwN6ADAgERoTAELhAAQ1R0GyYTM4zI0SxUMLNFFR4Ta6TKurAW7Owhi6N4x8msri
PJdGhvKHTpwbQwQ6FBMD+gAwIBEKE4BDYYAM3ngcn+OrlZk06fu6C5+/H+qyV5wASEo7f3EvAlMw4
wmB50p0iaMqpxW8adNOdWAEbInDAwO6E5MDegAwIBF6EwBC4QAPrQmtoN1uv/4VHSEiZueoAuH+9c
msJqtfRItb8uqMffu+hNrNjIt+3rwVFOMDOhMTAvoAMCAQihKAQmCAASoK0k9SSvHrBcEOMmvhZLu
ZllweiksfqcKlmqsczl3HmsWO0wM6ExMC+gAwIBA6EoBCYIAFWvQ8LXP4Rq/71mjo4XNbEVIrgiEn
8EH1Yrb1AiJGVKQ3Fp/TAzoTEwL6ADAgEBoSgEJggAk7RGY+GrgvcOj1o4O5854CZhnL/eCte4I/s
m4XWNXN0xeVWX
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAJAFp9QZGJfY3JlYXRpb25ARVhBTVBMRS5DT00A
krbExtraData:: AAcBAAIAAisAAGlvbkA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
...

但就是不能添加:
kadmin.local:  addprinc -x dn="uid=aaa,cn=EXAMPLE.COM,ou=krb5,dc=example,dc=com" aaa         
WARNING: no policy specified for aaa@EXAMPLE.COM; defaulting to no policy
Enter password for principal "aaa@EXAMPLE.COM":
Re-enter password for principal "aaa@EXAMPLE.COM":
add_principal: No such entry in the database while creating "aaa@EXAMPLE.COM".

报以上错误，求各位不吝赐教

jy02107028

自己顶~~~~

q1208c

为啥要配置成 kerberos + ldap 呢?

你这个样子的话, 直接搞一台 Windows的 AD 不就行了?

jy02107028

环境都是linux，木办法
有哪位能解决不