KDC 1.15 startup error: Invalid credentials - while initializing database
Jaap Winius
jwinius at umrk.nl
Fri Apr 14 05:53:54 EDT 2017
Quoting "Pallissard, Matthew" <krb at pallissard.net>:
> Is it slapd reading its key tab incorrectly or is the hostname being
> derived incorrectly. Is this a host file issue?
IMO, this is slapd not reading its key table, as the host file does
not give information about the Kerberos principal needed for
authentication. I started out using a separate keytab file like on the
other systems, using this line in /etc/default/slapd:
export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab
It's important to ensure that the openldap group has read access to
it. I've also tried using the default keytab file instead, applying
the same group access, but slapd continues to attempt to authenticate
with 'ldap/localhost at EXAMPLE.COM'.
Furthermore, /etc/hostname is fine, 'hostnamectl status' checks out
okay, there's nothing funny in /etc/hosts and the DNS forward and
reverse records are consistent.
So, this looks like a bug to me, but in what part of the software:
Kerberos, slapd, or some library, like libsasl2-modules-gssapi-mit?
I'm leaning towards the latter.
Cheers,
Jaap
More information about the Kerberos
mailing list