Hi folks, My plan is to migrate away from three older Debian wheezy systems running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP 2.4.31-2+deb7u2 backend to Debian stretch. The idea it to start by adding a slave system based on MIT Kerberos 1.15-1 and OpenLDAP 2.4.44+dfsg-3. Only, there's this problem... :-)
Setting up the OpenLDAP backend on the stretch system went fine and a copy of the DIT, which includes a fresh copy of the Kerberos database, is present. But, when I attempt to start up the new KDC it fails with: krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details The Kerberos log says: krb5kdc: Cannot bind to LDAP server 'ldapi://' as 'cn=kdc-srv,ou=krb5,dc=example,dc=com': Invalid credentials - while initializing database for realm EXAMPLE.COM The Kerberos master is kls1.example.com and the new slave is kls4.example.com. The Kerberos configuration on the latter is essentially the same as on the older slaves, kls2 and kls3. Here's the /etc/krb5.conf on kls4: [libdefaults] default_realm = EXAMPLE.COM forwardable = true proxiable = true allow_weak_crypto = true [realms] EXAMPLE.COM = { kdc = kls4.example.com admin_server = klsm.example.com database_module = openldap_ldapconf } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [dbdefaults] ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com ldap_service_password_file = /etc/krb5kdc/service.keyfile ladap_conns_per_server = 5 disable_last_success = true disable_lockout = true } [logging] kdc = FILE:/var/log/krb5/kdc.log And here's /etc/krb5kdc/kdc.conf on kls4: [kdcdefaults] kdc_ports = 750,88 [realms] EXAMPLE.COM = { key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 1d 0h 0m 0s max_renewable_life = 90d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal \ arcfour-hmac:normal des3-hmac-sha1:normal \ des-cbc-crc:normal des:normal des:v4 des:norealm \ des:onlyrealm des:afs3 default_principal_flags = +preauth } The credentials for cn=kdc-srv, the LDAP account for the KDC service, are stored in /etc/krb5kdc/service.keyfile. This file, together with the 'stash' file containing the KDC database master key were simply copied from the old systems. The service.keyfile has a line in it that looks like: cn=kdc-srv,ou=krb5,dc=example,dc=com#{HEX}3c9264892e086756 Finally, kls4.example.com has forward and reverse DNS entries that match (for both IPv4 and IPv6) and time is synchronized with the master, kls1. Any idea what could be causing the aforementioned error? Have the configuration requirements for Kerberos v1.15 changed since v1.10? Thanks, Jaap ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos