Tom Rutchik created DIRSERVER-2286:
--------------------------------------
Summary: Apacheds service will not start if kerberos is enable
Key: DIRSERVER-2286
URL: https://issues.apache.org/jira/browse/DIRSERVER-2286
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 2.0.0.AM25
Environment: Linux Mint 19.2
apacheds-2.0.0.AM25
Reporter: Tom Rutchik
Attachments: apacheds.log, apacheds.service, config.ldif, wrapper.log
Apacheds service will not startup if kerberos is enabled. I've configured the
service to run under the linux user account "apacheds". Since it's not running
under root, the LAPD service is configured to use port 10389 and the LDAPS
service is configured to use port 10636; similarly the Kerberos server is
configured to use port 60088 and the Change Password Kerberos server is
configured to use port 60464.
I've attached the /lib/systemd/system/apacheds.service description file, but
here's what it contains:
[Service]
Type=forking
User=apacheds
Group=apacheds
EnvironmentFile=/etc/default/apacheds
ExecStart=/bin/sh -c "exec /opt/apacheds-2.0.0.AM25/bin/apacheds start default"
PrivateTmp=true
If you look at either the apacheds.log or wrapper.log you'll see the error says:
java.io.IOException: Error while binding on /0.0.0.0:88
original message : Permission denied
So that should be pretty obvious as to what's wrong. It says that I trying to
bind to port 88 instead port 60088 which is the port that using for the
Kerberos Server.
If I check the status of the Kerberos sever, here's what it says:
tom@Phinney:~$ systemctl status krb5-kdc
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset:
enabled)
Active: active (running) since Fri 2019-10-25 10:13:21 PDT; 57min ago
Process: 1142 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
$DAEMON_ARGS (code=exited, status=0/SUCCESS)
Main PID: 1154 (krb5kdc)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/krb5-kdc.service
└─1154 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting pktinfo on socket ::.60088
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
0.0.0.0.10750
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
::.10750
Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(14,IPV6_V6ONLY,1) worked
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
0.0.0.0.60088
Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
::.60088
Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(16,IPV6_V6ONLY,1) worked
Oct 25 10:13:21 Phinney krb5kdc[1142]: set up 8 sockets
Oct 25 10:13:21 Phinney krb5kdc[1154]: commencing operation
Oct 25 10:13:21 Phinney systemd[1]: Started Kerberos 5 Key Distribution Center.
It seems to me, that the Kerberos started up and is using the ports that I told
it to use. I'm not sure what port 10750 is being used for, but I believe that
Kerberos uses that port internally. This only other thing I'm not sure or is
what the setsockopt message with IPV6_ONLY is trying to tell me. (Does that
mean I don't have an IPV4 connection to Kerberos? If that's the case, it
certainly might explain what's going on; but I don't see any configuration
parameter related to Kerberos that restricts me to IPV6 only)
So how I interpret what I'm seeing is that the apacheds service is failing to
start since it doesn't have the permission to bind to port 88. That is correct
since my user account "apacheds" is not a sudo user. By why is the LAPD server
trying to use port 88 instead of port 60088 as it's configured. I've looked all
around to see if I can find a reference to port 88, and all I find is 60088.
If I disable the Kerberos server from the ApacheDS service , the LAPD service
starts up fine.
My suspicion is the the LADP service is hard wired to on try to bind to port
88, regardless of configuration.
Here's one more interesting thing. The documentation you see now is the
service starting up as a system daemon. So what errors do I get if I now
manually try to start the apacheds service. This time, kerberos service is
already running, will that make a difference? From a shell, I execute:
/opt/apacheds-2.0.0.AM25/bin/apacheds start default
Password:
Starting ApacheDS - default...
The result is that I still connect to the ladp service, and both apache.log and
wrapper.log shows the same result:
java.io.IOException: Error while binding on /0.0.0.0:88
original message : Permission denied
If I then do:
netstat -tulpn
I see that there is a LISTENer for all my configured kerberos ports, but no
listener for the ldap service port.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
