KDC 1.15 startup error: Invalid credentials - while initializing database

Jaap Winius jwinius at umrk.nl
Fri Apr 14 05:53:54 EDT 2017

Quoting "Pallissard, Matthew" <krb at pallissard.net>:

> Is it slapd reading its key tab incorrectly or is the hostname being  
> derived incorrectly.  Is this a host file issue?

IMO, this is slapd not reading its key table, as the host file does  
not give information about the Kerberos principal needed for  
authentication. I started out using a separate keytab file like on the  
other systems, using this line in /etc/default/slapd:

   export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab

It's important to ensure that the openldap group has read access to  
it. I've also tried using the default keytab file instead, applying  
the same group access, but slapd continues to attempt to authenticate  
with 'ldap/localhost at EXAMPLE.COM'.

Furthermore, /etc/hostname is fine, 'hostnamectl status' checks out  
okay, there's nothing funny in /etc/hosts and the DNS forward and  
reverse records are consistent.

So, this looks like a bug to me, but in what part of the software:  
Kerberos, slapd, or some library, like libsasl2-modules-gssapi-mit?  
I'm leaning towards the latter.



More information about the Kerberos mailing list