[
https://issues.apache.org/jira/browse/DIRSERVER-2286?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582436#comment-17582436
]
Emmanuel Lécharny commented on DIRSERVER-2286:
----------------------------------------------
The Kerberos server has been removed from ApacheDS in 2.0.0-M27
> Apacheds service will not start if kerberos is enable
> -----------------------------------------------------
>
> Key: DIRSERVER-2286
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2286
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0.AM25
> Environment: Linux Mint 19.2
> apacheds-2.0.0.AM25
> Reporter: Tom Rutchik
> Priority: Major
> Attachments: apacheds.log, apacheds.service, config.ldif, wrapper.log
>
>
> Apacheds service will not startup if kerberos is enabled. I've configured
> the service to run under the linux user account "apacheds". Since it's not
> running under root, the LAPD service is configured to use port 10389 and the
> LDAPS service is configured to use port 10636; similarly the Kerberos server
> is configured to use port 60088 and the Change Password Kerberos server is
> configured to use port 60464.
> I've attached the /lib/systemd/system/apacheds.service description file, but
> here's what it contains:
> [Service]
> Type=forking
> User=apacheds
> Group=apacheds
> EnvironmentFile=/etc/default/apacheds
> ExecStart=/bin/sh -c "exec /opt/apacheds-2.0.0.AM25/bin/apacheds start
> default"
> PrivateTmp=true
>
> If you look at either the apacheds.log or wrapper.log you'll see the error
> says:
> java.io.IOException: Error while binding on /0.0.0.0:88
> original message : Permission denied
> So that should be pretty obvious as to what's wrong. It says that I trying
> to bind to port 88 instead port 60088 which is the port that using for the
> Kerberos Server.
> If I check the status of the Kerberos sever, here's what it says:
> tom@Phinney:~$ systemctl status krb5-kdc
> ● krb5-kdc.service - Kerberos 5 Key Distribution Center
> Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor
> preset: enabled)
> Active: active (running) since Fri 2019-10-25 10:13:21 PDT; 57min ago
> Process: 1142 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> $DAEMON_ARGS (code=exited, status=0/SUCCESS)
> Main PID: 1154 (krb5kdc)
> Tasks: 1 (limit: 4915)
> CGroup: /system.slice/krb5-kdc.service
> └─1154 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting pktinfo on socket ::.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> 0.0.0.0.10750
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> ::.10750
> Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(14,IPV6_V6ONLY,1) worked
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> 0.0.0.0.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address
> ::.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(16,IPV6_V6ONLY,1) worked
> Oct 25 10:13:21 Phinney krb5kdc[1142]: set up 8 sockets
> Oct 25 10:13:21 Phinney krb5kdc[1154]: commencing operation
> Oct 25 10:13:21 Phinney systemd[1]: Started Kerberos 5 Key Distribution
> Center.
> It seems to me, that the Kerberos started up and is using the ports that I
> told it to use. I'm not sure what port 10750 is being used for, but I believe
> that Kerberos uses that port internally. This only other thing I'm not sure
> or is what the setsockopt message with IPV6_ONLY is trying to tell me. (Does
> that mean I don't have an IPV4 connection to Kerberos? If that's the case,
> it certainly might explain what's going on; but I don't see any configuration
> parameter related to Kerberos that restricts me to IPV6 only)
> So how I interpret what I'm seeing is that the apacheds service is failing to
> start since it doesn't have the permission to bind to port 88. That is
> correct since my user account "apacheds" is not a sudo user. By why is the
> LAPD server trying to use port 88 instead of port 60088 as it's configured.
> I've looked all around to see if I can find a reference to port 88, and all I
> find is 60088.
> If I disable the Kerberos server from the ApacheDS service , the LAPD service
> starts up fine.
> My suspicion is the the LADP service is hard wired to on try to bind to port
> 88, regardless of configuration.
> Here's one more interesting thing. The documentation you see now is the
> service starting up as a system daemon. So what errors do I get if I now
> manually try to start the apacheds service. This time, kerberos service is
> already running, will that make a difference? From a shell, I execute:
> /opt/apacheds-2.0.0.AM25/bin/apacheds start default
> Password:
> Starting ApacheDS - default...
> The result is that I still connect to the ladp service, and both apache.log
> and wrapper.log shows the same result:
> java.io.IOException: Error while binding on /0.0.0.0:88
> original message : Permission denied
> If I then do:
> netstat -tulpn
> I see that there is a LISTENer for all my configured kerberos ports, but no
> listener for the ldap service port.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
