KDC 1.15 startup error: Invalid credentials - while initializing database
Pallissard, Matthew
krb at pallissard.net
Thu Apr 13 10:34:44 EDT 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> Could it be that the required format or key type of one or both of these files has changed?
That I do not know.
> If so, then unless I can decrypt that HEX value it will probably be necessary to create a new realm.
I don't think that a new realm would be necessary. You could probably generate a new password/hash and reset it in LDAP.
You could also try pointing your new KDC to your old LDAP server to see whether or not the issue is with your LDAP instance or the KDC config.
You should check your slapd logs as well.
Also, now that I'm looking at config you originally posted a little more closely, it looks like you're missing the 'ldap_servers' line and that you've misspelled 'ladap_conns_per_server'.
FWIW here's a stripped down working config that I've used. I don't know if it follows best practice or not but it works for me. (I also just stick everything in /etc/krb5.conf)
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = 0
dns_lookup_kdc = 0
ticket_lifetime = 24h
renew_lifetime = 7d
fowardable = true
[realms]
EXAMPLE.COM = {
admin_server = server.example.com
kdc = server.example.com
acl_file = /etc/krb5kdc/example.com/kadm5.acl
default_domain = example.com
database_module = LDAP.example.com
key_stash_file = /etc/krb5kdc/example.com/example.com.sf
admin_keytab = /etc/krb5kdc/example.com/kadm.keytab
}
[dbdefaults]
[dbmodules]
LDAP.example.com = {
db_library = kldap
ldap_kdc_dn = "cn=kdc,dc=authentication"
ldap_kadmind_dn = "cn=adm,dc=authentication"
ldap_service_password_file = /etc/krb5kdc/example.com/example.com.keyfile
ldap_servers = ldapi://
ldap_kerberos_container_dn = "cn=krb,dc=authentication"
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[logging]
kdc = SYSLOG:debug:local1
admin-server = SYSLOG:debug:local2
default = SYSLOG:debug:auth
Matt Pallissard
On Thu, 2017-04-13 at 15:13 +0200, Jaap Winius wrote:
> Quoting "Pallissard, Matthew" <krb at pallissard.net>:
>
> > Do your cn=config databases match?
>
> Almost. The main difference is that the databases on the old systems
> are in an hdb format and the new one uses mdb, so there are a few
> olcDbConfig lines on the old systems that are not present in the new
> system.
>
> > Do you know what that hashed password actually is? Can you manually
> > bind with that username/pw and ldapsearch?
>
> Regrettably, no, I don't have the passwords. I copied the
> 'service.keyfile 'and 'stash' files from the old systems hoped it
> would work. Could it be that the required format or key type of one or
> both of these files has changed? If so, then unless I can decrypt that
> HEX value it will probably be necessary to create a new realm. If not,
> then it does make troubleshooting a bit more difficult.
>
> Thanks,
>
> Jaap
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTvIUMPApUGn6YFkXl1uof+t048SQUCWO+MhAAKCRB1uof+t048
SSkVAQDTJdjwnaRZDolKfUEUzN4twMGjfwjjrRmmeIZ/gYWbLAD9Fb/nhgZLadQ0
etOJ1/cCNCbU1tjZqGjEAvXiaEb9zgE=
=BtWz
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list