Hello,
please check what URI value is in '/etc/ldap/ldap.conf'. Are both set two
ldapi:///?
Thorsten
Von meinem iPhone gesendet
> Am 13.04.2017 um 12:57 schrieb Jaap Winius <jwin...@umrk.nl>:
>
> Hi folks,
>
> My plan is to migrate away from three older Debian wheezy systems
> running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP
> 2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by
> adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP
> 2.4.44+dfsg-3. Only, there's this problem... :-)
>
> Setting up the OpenLDAP backend on the stretch system went fine and a
> copy of the DIT, which includes a fresh copy of the Kerberos database,
> is present. But, when I attempt to start up the new KDC it fails with:
>
> krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details
>
> The Kerberos log says:
>
> krb5kdc: Cannot bind to LDAP server 'ldapi://' as
> 'cn=kdc-srv,ou=krb5,dc=example,dc=com':
> Invalid credentials - while initializing database for realm EXAMPLE.COM
>
> The Kerberos master is kls1.example.com and the new slave is
> kls4.example.com. The Kerberos configuration on the latter is
> essentially the same as on the older slaves, kls2 and kls3. Here's the
> /etc/krb5.conf on kls4:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> forwardable = true
> proxiable = true
> allow_weak_crypto = true
>
> [realms]
> EXAMPLE.COM = {
> kdc = kls4.example.com
> admin_server = klsm.example.com
> database_module = openldap_ldapconf
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [dbdefaults]
> ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
>
> [dbmodules]
> openldap_ldapconf = {
> db_library = kldap
> ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
> ldap_service_password_file = /etc/krb5kdc/service.keyfile
> ladap_conns_per_server = 5
> disable_last_success = true
> disable_lockout = true
> }
>
> [logging]
> kdc = FILE:/var/log/krb5/kdc.log
>
>
> And here's /etc/krb5kdc/kdc.conf on kls4:
>
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> EXAMPLE.COM = {
> key_stash_file = /etc/krb5kdc/stash
> kdc_ports = 750,88
> max_life = 1d 0h 0m 0s
> max_renewable_life = 90d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = aes256-cts:normal \
> arcfour-hmac:normal des3-hmac-sha1:normal \
> des-cbc-crc:normal des:normal des:v4 des:norealm \
> des:onlyrealm des:afs3
> default_principal_flags = +preauth
> }
>
> The credentials for cn=kdc-srv, the LDAP account for the KDC service,
> are stored in /etc/krb5kdc/service.keyfile. This file, together with
> the 'stash' file containing the KDC database master key were simply
> copied from the old systems. The service.keyfile has a line in it that
> looks like:
>
> cn=kdc-srv,ou=krb5,dc=example,dc=com#{HEX}3c9264892e086756
>
> Finally, kls4.example.com has forward and reverse DNS entries that
> match (for both IPv4 and IPv6) and time is synchronized with the
> master, kls1.
>
> Any idea what could be causing the aforementioned error? Have the
> configuration requirements for Kerberos v1.15 changed since v1.10?
>
> Thanks,
>
> Jaap
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
