KDC 1.15 startup error: Invalid credentials - while initializing database

Jaap Winius jwinius at umrk.nl
Thu Apr 13 06:57:34 EDT 2017

Hi folks,

My plan is to migrate away from three older Debian wheezy systems  
running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP  
2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by  
adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP  
2.4.44+dfsg-3. Only, there's this problem... :-)

Setting up the OpenLDAP backend on the stretch system went fine and a  
copy of the DIT, which includes a fresh copy of the Kerberos database,  
is present. But, when I attempt to start up the new KDC it fails with:

   krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details

The Kerberos log says:

   krb5kdc: Cannot bind to LDAP server 'ldapi://' as
   Invalid credentials - while initializing database for realm EXAMPLE.COM

The Kerberos master is kls1.example.com and the new slave is  
kls4.example.com. The Kerberos configuration on the latter is  
essentially the same as on the older slaves, kls2 and kls3. Here's the  
/etc/krb5.conf on kls4:

	default_realm = EXAMPLE.COM
	forwardable = true
	proxiable = true
	allow_weak_crypto = true

		kdc = kls4.example.com
		admin_server = klsm.example.com
		database_module = openldap_ldapconf

	.example.com = EXAMPLE.COM
	example.com = EXAMPLE.COM

	ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com

	openldap_ldapconf = {
		db_library = kldap
		ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
		ldap_service_password_file = /etc/krb5kdc/service.keyfile
		ladap_conns_per_server = 5
		disable_last_success = true
		disable_lockout = true

	kdc = FILE:/var/log/krb5/kdc.log

And here's /etc/krb5kdc/kdc.conf on kls4:

	kdc_ports = 750,88

		key_stash_file = /etc/krb5kdc/stash
		kdc_ports = 750,88
		max_life = 1d 0h 0m 0s
		max_renewable_life = 90d 0h 0m 0s
		master_key_type = des3-hmac-sha1
		supported_enctypes = aes256-cts:normal \
		   arcfour-hmac:normal des3-hmac-sha1:normal \
		   des-cbc-crc:normal des:normal des:v4 des:norealm \
		   des:onlyrealm des:afs3
		default_principal_flags = +preauth

The credentials for cn=kdc-srv, the LDAP account for the KDC service,  
are stored in /etc/krb5kdc/service.keyfile. This file, together with  
the 'stash' file containing the KDC database master key were simply  
copied from the old systems. The service.keyfile has a line in it that  
looks like:


Finally, kls4.example.com has forward and reverse DNS entries that  
match (for both IPv4 and IPv6) and time is synchronized with the  
master, kls1.

Any idea what could be causing the aforementioned error? Have the  
configuration requirements for Kerberos v1.15 changed since v1.10?



More information about the Kerberos mailing list