[37951] in Kerberos
Re: KDC 1.15 startup error: Invalid credentials - while
daemon@ATHENA.MIT.EDU (Jaap Winius)
Fri Apr 14 05:54:18 2017
Message-ID: <20170414115354.21282o4imlseasdu@bitis.umrk.nl>
Date: Fri, 14 Apr 2017 11:53:54 +0200
From: Jaap Winius <jwinius@umrk.nl>
To: "Pallissard, Matthew" <krb@pallissard.net>
In-Reply-To: <e16eb9de-5379-4517-943e-82a40ab34e6e@Pallissard.net>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Quoting "Pallissard, Matthew" <krb@pallissard.net>:
> Is it slapd reading its key tab incorrectly or is the hostname being
> derived incorrectly. Is this a host file issue?
IMO, this is slapd not reading its key table, as the host file does
not give information about the Kerberos principal needed for
authentication. I started out using a separate keytab file like on the
other systems, using this line in /etc/default/slapd:
export KRB5_KTNAME=/etc/ldap/krb5-ldap.keytab
It's important to ensure that the openldap group has read access to
it. I've also tried using the default keytab file instead, applying
the same group access, but slapd continues to attempt to authenticate
with 'ldap/localhost@EXAMPLE.COM'.
Furthermore, /etc/hostname is fine, 'hostnamectl status' checks out
okay, there's nothing funny in /etc/hosts and the DNS forward and
reverse records are consistent.
So, this looks like a bug to me, but in what part of the software:
Kerberos, slapd, or some library, like libsasl2-modules-gssapi-mit?
I'm leaning towards the latter.
Cheers,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
