Quoting "Pallissard, Matthew" :
> Is it slapd reading its key tab incorrectly or is the hostname being
> derived incorrectly. Is this a host file issue?
IMO, this is slapd not reading its key table, as the host file does
not give information about the Kerberos principal needed for
authenti
du
Subject: Re: KDC 1.15 startup error: Invalid credentials - while initializing
database
Quoting Jaap Winius :
>slapd[560]: GSSAPI Error: Unspecified GSS failure. \
>Minor code may provide more information \
>(Server ldap/localh...@example.com not found in Kerberos database)
Quoting Jaap Winius :
>slapd[560]: GSSAPI Error: Unspecified GSS failure. \
>Minor code may provide more information \
>(Server ldap/localh...@example.com not found in Kerberos database)
Invalid credentials? It's because of this. Slapd should discover its
identity by reading its key
Quoting "Pallissard, Matthew" :
> You could also try pointing your new KDC to your old LDAP server to
> see whether or not the issue is with your LDAP instance or the KDC
> config.
That worked. In other words, the problem is with the new slapd server.
> You should check your slapd logs as we
On 04/13/2017 09:13 AM, Jaap Winius wrote:
> Regrettably, no, I don't have the passwords. I copied the
> 'service.keyfile 'and 'stash' files from the old systems hoped it
> would work. Could it be that the required format or key type of one or
> both of these files has changed? If so, then un
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
> Could it be that the required format or key type of one or both of these
> files has changed?
That I do not know.
> If so, then unless I can decrypt that HEX value it will probably be necessary
> to create a new realm.
I don't think that a new
Quoting "Pallissard, Matthew" :
> Do your cn=config databases match?
Almost. The main difference is that the databases on the old systems
are in an hdb format and the new one uses mdb, so there are a few
olcDbConfig lines on the old systems that are not present in the new
system.
> Do you
Quoting t Seeger :
> please check what URI value is in '/etc/ldap/ldap.conf'. Are both
> set two ldapi:///?
Both? I had the URI value in /etc/ldap/ldap.conf set like this:
URI ldap://kls4.example.com/
So I tried it with:
URI ldapi:///
And I also tried these variations:
URI ldap
Hmm,
Do your cn=config databases match?
Do you know what that hashed password actually is? Can you manually bind with
that username/pw and ldapsearch?
Matt Pallissard
On Thu, 2017-04-13 at 14:02 +0200, Jaap Winius wrote:
> Quoting "Pallissard, Matthew" :
>
> > What does your olcSyncrepl line
Quoting "Pallissard, Matthew" :
> What does your olcSyncrepl line for dc=example,dc=com look like?
olcSyncrepl: {0}rid=123 provider="ldap://klsm.example.com:389/"; type=refreshAn
dPersist retry="60 30 300 +" searchbase="dc=example,dc=com" bindmethod=sasl s
aslmech=gssapi
The OpenLDAP configu
Hello,
please check what URI value is in '/etc/ldap/ldap.conf'. Are both set two
ldapi:///?
Thorsten
Von meinem iPhone gesendet
> Am 13.04.2017 um 12:57 schrieb Jaap Winius :
>
> Hi folks,
>
> My plan is to migrate away from three older Debian wheezy systems
> running MIT Kerberos 1.10.1+df
What does your olcSyncrepl line for dc=example,dc=com look like?
Matt Pallissard
On Thu, 2017-04-13 at 12:57 +0200, Jaap Winius wrote:
> Hi folks,
>
> My plan is to migrate away from three older Debian wheezy systems
> running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP
> 2.4.31-2+de
Hi folks,
My plan is to migrate away from three older Debian wheezy systems
running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP
2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by
adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP
2.4.44+dfsg-3. Only, the
13 matches
Mail list logo
