KDC 1.15 startup error: Invalid credentials - while initializing database

Pallissard, Matthew krb at pallissard.net
Thu Apr 13 07:40:20 EDT 2017


What does your olcSyncrepl line for dc=example,dc=com look like?

Matt Pallissard


On Thu, 2017-04-13 at 12:57 +0200, Jaap Winius wrote:
> Hi folks,
> 
> My plan is to migrate away from three older Debian wheezy systems  
> running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP  
> 2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by  
> adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP  
> 2.4.44+dfsg-3. Only, there's this problem... :-)
> 
> Setting up the OpenLDAP backend on the stretch system went fine and
> a  
> copy of the DIT, which includes a fresh copy of the Kerberos
> database,  
> is present. But, when I attempt to start up the new KDC it fails
> with:
> 
>    krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for
> details
> 
> The Kerberos log says:
> 
>    krb5kdc: Cannot bind to LDAP server 'ldapi://' as
>    'cn=kdc-srv,ou=krb5,dc=example,dc=com':
>    Invalid credentials - while initializing database for realm
> EXAMPLE.COM
> 
> The Kerberos master is kls1.example.com and the new slave is  
> kls4.example.com. The Kerberos configuration on the latter is  
> essentially the same as on the older slaves, kls2 and kls3. Here's
> the  
> /etc/krb5.conf on kls4:
> 
>    [libdefaults]
> 	default_realm = EXAMPLE.COM
> 	forwardable = true
> 	proxiable = true
> 	allow_weak_crypto = true
> 
>    [realms]
> 	EXAMPLE.COM = {
> 		kdc = kls4.example.com
> 		admin_server = klsm.example.com
> 		database_module = openldap_ldapconf
> 	}
> 
>    [domain_realm]
> 	.example.com = EXAMPLE.COM
> 	example.com = EXAMPLE.COM
> 
>    [dbdefaults]
> 	ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
> 
>    [dbmodules]
> 	openldap_ldapconf = {
> 		db_library = kldap
> 		ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
> 		ldap_service_password_file =
> /etc/krb5kdc/service.keyfile
> 		ladap_conns_per_server = 5
> 		disable_last_success = true
> 		disable_lockout = true
> 	}
> 
>    [logging]
> 	kdc = FILE:/var/log/krb5/kdc.log
> 
> 
> And here's /etc/krb5kdc/kdc.conf on kls4:
> 
>    [kdcdefaults]
> 	kdc_ports = 750,88
> 
>    [realms]
> 	EXAMPLE.COM = {
> 		key_stash_file = /etc/krb5kdc/stash
> 		kdc_ports = 750,88
> 		max_life = 1d 0h 0m 0s
> 		max_renewable_life = 90d 0h 0m 0s
> 		master_key_type = des3-hmac-sha1
> 		supported_enctypes = aes256-cts:normal \
> 		   arcfour-hmac:normal des3-hmac-sha1:normal \
> 		   des-cbc-crc:normal des:normal des:v4 des:norealm \
> 		   des:onlyrealm des:afs3
> 		default_principal_flags = +preauth
> 	}
> 
> The credentials for cn=kdc-srv, the LDAP account for the KDC
> service,  
> are stored in /etc/krb5kdc/service.keyfile. This file, together
> with  
> the 'stash' file containing the KDC database master key were simply  
> copied from the old systems. The service.keyfile has a line in it
> that  
> looks like:
> 
>    cn=kdc-srv,ou=krb5,dc=example,dc=com#{HEX}3c9264892e086756
> 
> Finally, kls4.example.com has forward and reverse DNS entries that  
> match (for both IPv4 and IPv6) and time is synchronized with the  
> master, kls1.
> 
> Any idea what could be causing the aforementioned error? Have the  
> configuration requirements for Kerberos v1.15 changed since v1.10?
> 
> Thanks,
> 
> Jaap
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list