bind to LDAP server produces "invalid credentials" error

[Travis Bean]

On Sat, Aug 23, 2025 at 6:10 PM Travis Bean <tbean74 at gmail.com> wrote:
>
> On Fri, Aug 22, 2025 at 9:50 AM Travis Bean <tbean74 at gmail.com> wrote:
> >
> > On Thu, Aug 21, 2025 at 10:56 AM Greg Hudson <ghudson at mit.edu> wrote:
> > >
> > > On 8/20/25 23:43, Travis Bean wrote:
> > > > “Cannot bind to LDAP server ldapi:/// as
> > > > ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
> > > > - while initializing database.”
> > >
> > > This means libkdb_ldap called ldap_sasl_bind_s() and got back an
> > > LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
> > > server didn't match the password from the service stash file.
>
> After extensive troubleshooting, I can definitely say this is a
> problem with my stash file.
>
> Perhaps there is a bug in kdb5_ldap_util since it is generating a
> malformed stash file.

My stash file is as follows:

cn=kdc-srv,cn=krbContainer,dc=example,dc=local#{HEX}41646d696e4b6579
cn=adm-srv,cn=krbContainer,dc=example,dc=local#{HEX}41646d696e4b6579

In my bug report, I just assumed the stash file must be malformed, but
this might not be the case. Even though the stash file doesn't look
malformed, perhaps the algorithm for encoding the file is incorrect?
If the stash file is used to authenticate the KDC to itself
automatically before starting the kadmind and krb5kdc daemons, why
would these daemons be failing to start if the stash file is encoded
correctly?