From Newsgroup: comp.protocols.kerberos

When starting the krb5-admin service, I receive the following error:
rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

cn=kdc=srv,cn=krbContainer,dc=example,dc=local is referenced in my
krb5.conf as ldap_kdc_dn.

It is also referenced in my password stashes as the following:

echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \

-D uid=admin,ou=people,dc=example,dc=local -w "$ADMIN_PASSWORD" stashsrvpw \

-f /etc/krb5kdc/service.keyfile cn=kdc-srv,cn=krbContainer,dc=example,dc=local

It is also referenced via ldappasswd:

ldappasswd -H ldapi:/// -D uid=admin,ou=people,dc=example,dc=local \

-w "$ADMIN_PASSWORD" -s "$ADMIN_PASSWORD" cn=kdc-srv,cn=krbContainer,dc=example,dc=local

It is also referenced in my following ACL:

olcAccess: to dn.subtree="cn=krbContainer,dc=example,dc=local"

by dn.exact="cn=adm-srv,cn=krbContainer,dc=example,dc=local" write

by dn.exact="cn=kdc-srv,cn=krbContainer,dc=example,dc=local" read

I thought it was one of my ACLs, but when I modified/removed my ACLs,
the problem persisted. I followed this previous post about ACLs (serverfault.com/questions/869585/kerberos-kdc-wont-start-invalid-credentials), but to no avail.

Here is the Bash script I am using for testing: https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=sharing

Kind regards,

Travis Bean

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On 8/20/25 23:43, Travis Bean wrote:

rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

This means libkdb_ldap called ldap_sasl_bind_s() and got back an LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
server didn't match the password from the service stash file.

I looked at the script you linked and didn't find any obvious problems,
but there might be more information in the slapd log. My next step
after that would be to use gdb to debug through first the MIT krb5 side (making sure it read the expected password) and then slapd, after
building both components from source with -g and no -O option. It may
be easier to debug the MIT krb5 side if you can reproduce the problem
with kadmin.local.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On Thu, Aug 21, 2025 at 10:56rC>AM Greg Hudson <ghudson@mit.edu> wrote:

On 8/20/25 23:43, Travis Bean wrote:

rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

This means libkdb_ldap called ldap_sasl_bind_s() and got back an LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP server didn't match the password from the service stash file.

I found out that krb5-admin-server is failing with the exact same
error as krb5-kdc. This time krb5-admin-server references cn=adm-srv,cn=krbContainer,dc=example,dc=local, which is referenced in
my krb5.conf as ldap_kadmind_dn as well as referenced by
kdb5_ldap_util for my service stash file.

When attempting to start krb5-admin-server and krb5-kdc, syslog
doesn't log anything substantialrCoit only logs "Failed with result 'exit-code'."

If this is a problem with my service stash file, how do I fix this? I double-checked the kdb5_ldap_util syntax for creating the service
stash file, and there are no errors on my part.

My OpenLDAP/Kerberos code used to work just fine in the past. My test
Bash script is part of a larger project located at
launchpad.net/linuxha. Nothing substantial has changed with my OpenLDAP/Kerberos Bash code for LinuxHA. In fact, all minor changes,
such as an upgraded krb5.conf, were rolled back to a previous revision
for testing, but to no avail.

Kind regards,

Travis Bean

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On Sat, Aug 23, 2025 at 6:10rC>PM Travis Bean <tbean74@gmail.com> wrote:

On Fri, Aug 22, 2025 at 9:50rC>AM Travis Bean <tbean74@gmail.com> wrote:

On Thu, Aug 21, 2025 at 10:56rC>AM Greg Hudson <ghudson@mit.edu> wrote:

On 8/20/25 23:43, Travis Bean wrote:

rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

This means libkdb_ldap called ldap_sasl_bind_s() and got back an LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP server didn't match the password from the service stash file.

After extensive troubleshooting, I can definitely say this is a
problem with my stash file.

Perhaps there is a bug in kdb5_ldap_util since it is generating a
malformed stash file.

My stash file is as follows:

cn=kdc-srv,cn=krbContainer,dc=example,dc=local#{HEX}41646d696e4b6579 cn=adm-srv,cn=krbContainer,dc=example,dc=local#{HEX}41646d696e4b6579

In my bug report, I just assumed the stash file must be malformed, but
this might not be the case. Even though the stash file doesn't look
malformed, perhaps the algorithm for encoding the file is incorrect?
If the stash file is used to authenticate the KDC to itself
automatically before starting the kadmind and krb5kdc daemons, why
would these daemons be failing to start if the stash file is encoded
correctly?

--- Synchronet 3.21a-Linux NewsLink 1.2