KDC 1.15 startup error: Invalid credentials - while initializing database

Jaap Winius jwinius at umrk.nl
Thu Apr 13 13:38:33 EDT 2017

Quoting "Pallissard, Matthew" <krb at pallissard.net>:

> You could also try pointing your new KDC to your old LDAP server to  
> see whether or not the issue is with your LDAP instance or the KDC  
> config.

That worked. In other words, the problem is with the new slapd server.

> You should check your slapd logs as well.

Nothing new there. Hold on! How can I have missed this?

   slapd[560]: GSSAPI Error: Unspecified GSS failure. \
   Minor code may provide more information \
   (Server ldap/localhost at EXAMPLE.COM not found in Kerberos database)

So, it's attempting to authenticate to the Kerberos master as  
'localhost'... and it turns out that I had not successfully replicated  
the DIT after all. Doh!

> Also, now that I'm looking at config you originally posted a little  
> more closely, it looks like you're missing the 'ldap_servers' line ...

Omitting that line causes it to connect to ldapi:///. It probably  
doesn't make a difference, since I don't use it elsewhere, but I'll  
keep an eye on it.

> and that you've misspelled 'ladap_conns_per_server'.

Thanks for spotting that. It's a mistake I made years ago and never  
noticed. But, in this case fixing it made no difference.

> FWIW here's a stripped down working config that I've used.

I'll check it out later after I've fixed the localhost problem.



More information about the Kerberos mailing list