From Newsgroup: comp.protocols.kerberos

When starting the krb5-admin service, I receive the following error:
rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

cn=kdc=srv,cn=krbContainer,dc=example,dc=local is referenced in my
krb5.conf as ldap_kdc_dn.

It is also referenced in my password stashes as the following:

echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \

-D uid=admin,ou=people,dc=example,dc=local -w "$ADMIN_PASSWORD" stashsrvpw \

-f /etc/krb5kdc/service.keyfile cn=kdc-srv,cn=krbContainer,dc=example,dc=local

It is also referenced via ldappasswd:

ldappasswd -H ldapi:/// -D uid=admin,ou=people,dc=example,dc=local \

-w "$ADMIN_PASSWORD" -s "$ADMIN_PASSWORD" cn=kdc-srv,cn=krbContainer,dc=example,dc=local

It is also referenced in my following ACL:

olcAccess: to dn.subtree="cn=krbContainer,dc=example,dc=local"

by dn.exact="cn=adm-srv,cn=krbContainer,dc=example,dc=local" write

by dn.exact="cn=kdc-srv,cn=krbContainer,dc=example,dc=local" read

I thought it was one of my ACLs, but when I modified/removed my ACLs,
the problem persisted. I followed this previous post about ACLs (serverfault.com/questions/869585/kerberos-kdc-wont-start-invalid-credentials), but to no avail.

Here is the Bash script I am using for testing: https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=sharing

Kind regards,

Travis Bean

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On 8/20/25 23:43, Travis Bean wrote:

rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

This means libkdb_ldap called ldap_sasl_bind_s() and got back an LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
server didn't match the password from the service stash file.

I looked at the script you linked and didn't find any obvious problems,
but there might be more information in the slapd log. My next step
after that would be to use gdb to debug through first the MIT krb5 side (making sure it read the expected password) and then slapd, after
building both components from source with -g and no -O option. It may
be easier to debug the MIT krb5 side if you can reproduce the problem
with kadmin.local.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.protocols.kerberos

On Thu, Aug 21, 2025 at 10:56rC>AM Greg Hudson <ghudson@mit.edu> wrote:

On 8/20/25 23:43, Travis Bean wrote:

rCLCannot bind to LDAP server ldapi:/// as rCycn=kdc-srv,cn=krbContainer,dc=example,dc=localrCO: Invalid credentials
- while initializing database.rCY

This means libkdb_ldap called ldap_sasl_bind_s() and got back an LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP server didn't match the password from the service stash file.

I found out that krb5-admin-server is failing with the exact same
error as krb5-kdc. This time krb5-admin-server references cn=adm-srv,cn=krbContainer,dc=example,dc=local, which is referenced in
my krb5.conf as ldap_kadmind_dn as well as referenced by
kdb5_ldap_util for my service stash file.

When attempting to start krb5-admin-server and krb5-kdc, syslog
doesn't log anything substantialrCoit only logs "Failed with result 'exit-code'."

If this is a problem with my service stash file, how do I fix this? I double-checked the kdb5_ldap_util syntax for creating the service
stash file, and there are no errors on my part.

My OpenLDAP/Kerberos code used to work just fine in the past. My test
Bash script is part of a larger project located at
launchpad.net/linuxha. Nothing substantial has changed with my OpenLDAP/Kerberos Bash code for LinuxHA. In fact, all minor changes,
such as an upgraded krb5.conf, were rolled back to a previous revision
for testing, but to no avail.

Kind regards,

Travis Bean

--- Synchronet 3.21a-Linux NewsLink 1.2