When starting the krb5-admin service, I receive the following error:
“Cannot bind to LDAP server ldapi:/// as
‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials -
while initializing database.”
cn=kdc=srv,cn=krbContainer,dc=example,dc=local is referenced in my
krb5.conf as ldap_kdc_dn.
It is also referenced in my password stashes as the following:
echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \
-D uid=admin,ou=people,dc=example,dc=local -w "$ADMIN_PASSWORD"
stashsrvpw \
-f /etc/krb5kdc/service.keyfile
cn=kdc-srv,cn=krbContainer,dc=example,dc=local
It is also referenced via ldappasswd:
ldappasswd -H ldapi:/// -D uid=admin,ou=people,dc=example,dc=local \
-w "$ADMIN_PASSWORD" -s "$ADMIN_PASSWORD"
cn=kdc-srv,cn=krbContainer,dc=example,dc=local
It is also referenced in my following ACL:
olcAccess: to dn.subtree="cn=krbContainer,dc=example,dc=local"
by dn.exact="cn=adm-srv,cn=krbContainer,dc=example,dc=local" write
by dn.exact="cn=kdc-srv,cn=krbContainer,dc=example,dc=local" read
I thought it was one of my ACLs, but when I modified/removed my ACLs, the
problem persisted. I followed this previous post about ACLs (
serverfault.com/questions/869585/kerberos-kdc-wont-start-invalid-credentials),
but to no avail.
Here is the Bash script I am using for testing:
https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=sharing
Kind regards,
Travis Bean
