KDC 1.15 startup error: Invalid credentials - while initializing database

Thu Apr 13 07:53:08 EDT 2017

Hello,
please check what URI value is in '/etc/ldap/ldap.conf'. Are both set two ldapi:///?

Thorsten

Von meinem iPhone gesendet

> Am 13.04.2017 um 12:57 schrieb Jaap Winius <jwinius at umrk.nl>:
> 
> Hi folks,
> 
> My plan is to migrate away from three older Debian wheezy systems  
> running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP  
> 2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by  
> adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP  
> 2.4.44+dfsg-3. Only, there's this problem... :-)
> 
> Setting up the OpenLDAP backend on the stretch system went fine and a  
> copy of the DIT, which includes a fresh copy of the Kerberos database,  
> is present. But, when I attempt to start up the new KDC it fails with:
> 
>   krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details
> 
> The Kerberos log says:
> 
>   krb5kdc: Cannot bind to LDAP server 'ldapi://' as
>   'cn=kdc-srv,ou=krb5,dc=example,dc=com':
>   Invalid credentials - while initializing database for realm EXAMPLE.COM
> 
> The Kerberos master is kls1.example.com and the new slave is  
> kls4.example.com. The Kerberos configuration on the latter is  
> essentially the same as on the older slaves, kls2 and kls3. Here's the  
> /etc/krb5.conf on kls4:
> 
>   [libdefaults]
>    default_realm = EXAMPLE.COM
>    forwardable = true
>    proxiable = true
>    allow_weak_crypto = true
> 
>   [realms]
>    EXAMPLE.COM = {
>        kdc = kls4.example.com
>        admin_server = klsm.example.com
>        database_module = openldap_ldapconf
>    }
> 
>   [domain_realm]
>    .example.com = EXAMPLE.COM
>    example.com = EXAMPLE.COM
> 
>   [dbdefaults]
>    ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
> 
>   [dbmodules]
>    openldap_ldapconf = {
>        db_library = kldap
>        ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
>        ldap_service_password_file = /etc/krb5kdc/service.keyfile
>        ladap_conns_per_server = 5
>        disable_last_success = true
>        disable_lockout = true
>    }
> 
>   [logging]
>    kdc = FILE:/var/log/krb5/kdc.log
> 
> 
> And here's /etc/krb5kdc/kdc.conf on kls4:
> 
>   [kdcdefaults]
>    kdc_ports = 750,88
> 
>   [realms]
>    EXAMPLE.COM = {
>        key_stash_file = /etc/krb5kdc/stash
>        kdc_ports = 750,88
>        max_life = 1d 0h 0m 0s
>        max_renewable_life = 90d 0h 0m 0s
>        master_key_type = des3-hmac-sha1
>        supported_enctypes = aes256-cts:normal \
>           arcfour-hmac:normal des3-hmac-sha1:normal \
>           des-cbc-crc:normal des:normal des:v4 des:norealm \
>           des:onlyrealm des:afs3
>        default_principal_flags = +preauth
>    }
> 
> The credentials for cn=kdc-srv, the LDAP account for the KDC service,  
> are stored in /etc/krb5kdc/service.keyfile. This file, together with  
> the 'stash' file containing the KDC database master key were simply  
> copied from the old systems. The service.keyfile has a line in it that  
> looks like:
> 
>   cn=kdc-srv,ou=krb5,dc=example,dc=com#{HEX}3c9264892e086756
> 
> Finally, kls4.example.com has forward and reverse DNS entries that  
> match (for both IPv4 and IPv6) and time is synchronized with the  
> master, kls1.
> 
> Any idea what could be causing the aforementioned error? Have the  
> configuration requirements for Kerberos v1.15 changed since v1.10?
> 
> Thanks,
> 
> Jaap
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos