[
https://issues.apache.org/jira/browse/DIRSERVER-2286?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16961400#comment-16961400
]
Tom Rutchik commented on DIRSERVER-2286:
----------------------------------------
I finally figured out what's going on. It turns out to be a problem I caused,
but the higher level cause is due to the lack of sufficient documentation on
configuring the ApacheDS so that the service is not run with root privileges.
I'll explain what happened.
The documented recommendation is not to run the ApacheDS service with root
privileges. To do this one discovers that with can be done by adding the User
and Group setting to the apacheds.service configuration located in
/lib/systemd/system folder (linux mint or ubunto distros). What's not
documented is the that you will need to additionally change the root group to
on a number of unspecified directories to the group name that you specified.
Typically one discovers which directory or files need to be changed by
examining the permission denied error that you get in you log file. In
addition, you will then discover that you also have to add several entries to
the /etc/apparmor.d/usr.sbin.named file if you're distro is configured to use
apparmor. Again, you'll have to discover which resources to add to that file
by examining the apparmor errors you get in the apacheds.log file.
The mistake I made, was that in the process, I took some bad advice from some
internet site that was describing what I needed to do to configure kerberos to
work with apacheds. The advice was that I needed to install the kerberos
server to get this to work. It turns out that this was very bad advice. To
make matters worst, I had kind of forgot that I did that. So what happens if
you make this mistake? The MIT implementation of kerberos starts up using it
own kdc.conf settings; not the apacheds settings. What I did not understand
from the documentation was that apacheds has it's own implementation of a
kerberos server. I couldn't figure out what was going on until I examined the
source code I found the KDCServer class and put 2 and 2 together. I simple
disabled the MIT kerberos server from starting up and things worked fine.
My suggestion to avoid this confusion to others is to improve the documentation
on what needs to be done to configure apacheDS to run under a non-root user
account.
Here's what I added to the 'usr.sbin/.named' file to eliminate the apparmor
errors for my linux mint 19.2 distro in order to to get ApacheDS to startup
under a non-root user account:
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
/var/lib/samba/private/named.conf rw,
/var/lib/samba/private/dns/** lrwk,
/usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
/usr/lib/x86_64-linux-gnu/samba/ldb/** rm,
/usr/lib/x86_64-linux-gnu/samba/gensec/** rm,
/usr/lib/x86_64-linux-gnu/ldb/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/** rm,
> Apacheds service will not start if kerberos is enable
> -----------------------------------------------------
>
> Key: DIRSERVER-2286
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2286
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0.AM25
> Environment: Linux Mint 19.2
> apacheds-2.0.0.AM25
> Reporter: Tom Rutchik
> Priority: Major
> Attachments: apacheds.log, apacheds.service, config.ldif, wrapper.log
>
>
> Apacheds service will not startup if kerberos is enabled. I've configured
> the service to run under the linux user account "apacheds". Since it's not
> running under root, the LAPD service is configured to use port 10389 and the
> LDAPS service is configured to use port 10636; similarly the Kerberos server
> is configured to use port 60088 and the Change Password Kerberos server is
> configured to use port 60464.
> I've attached the /lib/systemd/system/apacheds.service description file, but
> here's what it contains:
> [Service]
> Type=forking
> User=apacheds
> Group=apacheds
> EnvironmentFile=/etc/default/apacheds
> ExecStart=/bin/sh -c "exec /opt/apacheds-2.0.0.AM25/bin/apacheds start
> default"
> PrivateTmp=true
>
> If you look at either the apacheds.log or wrapper.log you'll see the error
> says:
> java.io.IOException: Error while binding on /0.0.0.0:88
> original message : Permission denied
> So that should be pretty obvious as to what's wrong. It says that I trying
> to bind to port 88 instead port 60088 which is the port that using for the
> Kerberos Server.
> If I check the status of the Kerberos sever, here's what it says:
> tom@Phinney:~$ systemctl status krb5-kdc
> ● krb5-kdc.service - Kerberos 5 Key Distribution Center
> Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor
> preset: enabled)
> Active: active (running) since Fri 2019-10-25 10:13:21 PDT; 57min ago
> Process: 1142 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> $DAEMON_ARGS (code=exited, status=0/SUCCESS)
> Main PID: 1154 (krb5kdc)
> Tasks: 1 (limit: 4915)
> CGroup: /system.slice/krb5-kdc.service
> └─1154 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting pktinfo on socket ::.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> 0.0.0.0.10750
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> ::.10750
> Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(14,IPV6_V6ONLY,1) worked
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> 0.0.0.0.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> ::.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(16,IPV6_V6ONLY,1) worked
> Oct 25 10:13:21 Phinney krb5kdc[1142]: set up 8 sockets
> Oct 25 10:13:21 Phinney krb5kdc[1154]: commencing operation
> Oct 25 10:13:21 Phinney systemd[1]: Started Kerberos 5 Key Distribution
> Center.
> It seems to me, that the Kerberos started up and is using the ports that I
> told it to use. I'm not sure what port 10750 is being used for, but I believe
> that Kerberos uses that port internally. This only other thing I'm not sure
> or is what the setsockopt message with IPV6_ONLY is trying to tell me. (Does
> that mean I don't have an IPV4 connection to Kerberos? If that's the case,
> it certainly might explain what's going on; but I don't see any configuration
> parameter related to Kerberos that restricts me to IPV6 only)
> So how I interpret what I'm seeing is that the apacheds service is failing to
> start since it doesn't have the permission to bind to port 88. That is
> correct since my user account "apacheds" is not a sudo user. By why is the
> LAPD server trying to use port 88 instead of port 60088 as it's configured.
> I've looked all around to see if I can find a reference to port 88, and all I
> find is 60088.
> If I disable the Kerberos server from the ApacheDS service , the LAPD service
> starts up fine.
> My suspicion is the the LADP service is hard wired to on try to bind to port
> 88, regardless of configuration.
> Here's one more interesting thing. The documentation you see now is the
> service starting up as a system daemon. So what errors do I get if I now
> manually try to start the apacheds service. This time, kerberos service is
> already running, will that make a difference? From a shell, I execute:
> /opt/apacheds-2.0.0.AM25/bin/apacheds start default
> Password:
> Starting ApacheDS - default...
> The result is that I still connect to the ladp service, and both apache.log
> and wrapper.log shows the same result:
> java.io.IOException: Error while binding on /0.0.0.0:88
> original message : Permission denied
> If I then do:
> netstat -tulpn
> I see that there is a LISTENer for all my configured kerberos ports, but no
> listener for the ldap service port.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
