[37947] in Kerberos
Re: KDC 1.15 startup error: Invalid credentials - while
daemon@ATHENA.MIT.EDU (Jaap Winius)
Thu Apr 13 13:38:56 2017
Message-ID: <20170413193833.98725ihfmwcvt0nt@bitis.umrk.nl>
Date: Thu, 13 Apr 2017 19:38:33 +0200
From: Jaap Winius <jwinius@umrk.nl>
To: "Pallissard, Matthew" <krb@pallissard.net>
In-Reply-To: <1492094084.7797.1.camel@pallissard.net>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Quoting "Pallissard, Matthew" <krb@pallissard.net>:
> You could also try pointing your new KDC to your old LDAP server to
> see whether or not the issue is with your LDAP instance or the KDC
> config.
That worked. In other words, the problem is with the new slapd server.
> You should check your slapd logs as well.
Nothing new there. Hold on! How can I have missed this?
slapd[560]: GSSAPI Error: Unspecified GSS failure. \
Minor code may provide more information \
(Server ldap/localhost@EXAMPLE.COM not found in Kerberos database)
So, it's attempting to authenticate to the Kerberos master as
'localhost'... and it turns out that I had not successfully replicated
the DIT after all. Doh!
> Also, now that I'm looking at config you originally posted a little
> more closely, it looks like you're missing the 'ldap_servers' line ...
Omitting that line causes it to connect to ldapi:///. It probably
doesn't make a difference, since I don't use it elsewhere, but I'll
keep an eye on it.
> and that you've misspelled 'ladap_conns_per_server'.
Thanks for spotting that. It's a mistake I made years ago and never
noticed. But, in this case fixing it made no difference.
> FWIW here's a stripped down working config that I've used.
I'll check it out later after I've fixed the localhost problem.
Thanks!
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
