[39538] in Kerberos
bind to LDAP server produces "invalid credentials" error
daemon@ATHENA.MIT.EDU (Travis Bean)
Wed Aug 20 23:44:55 2025
MIME-Version: 1.0
From: Travis Bean <tbean74@gmail.com>
Date: Wed, 20 Aug 2025 20:43:13 -0700
Message-ID: <CAFk47JhihapGzET44=pOcnfpjoBy8g-EK_X_1VYggNYxK=beKg@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
When starting the krb5-admin service, I receive the following error:
“Cannot bind to LDAP server ldapi:/// as
‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
- while initializing database.”
cn=kdc=srv,cn=krbContainer,dc=example,dc=local is referenced in my
krb5.conf as ldap_kdc_dn.
It is also referenced in my password stashes as the following:
echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \
-D uid=admin,ou=people,dc=example,dc=local -w "$ADMIN_PASSWORD" stashsrvpw \
-f /etc/krb5kdc/service.keyfile cn=kdc-srv,cn=krbContainer,dc=example,dc=local
It is also referenced via ldappasswd:
ldappasswd -H ldapi:/// -D uid=admin,ou=people,dc=example,dc=local \
-w "$ADMIN_PASSWORD" -s "$ADMIN_PASSWORD"
cn=kdc-srv,cn=krbContainer,dc=example,dc=local
It is also referenced in my following ACL:
olcAccess: to dn.subtree="cn=krbContainer,dc=example,dc=local"
by dn.exact="cn=adm-srv,cn=krbContainer,dc=example,dc=local" write
by dn.exact="cn=kdc-srv,cn=krbContainer,dc=example,dc=local" read
I thought it was one of my ACLs, but when I modified/removed my ACLs,
the problem persisted. I followed this previous post about ACLs
(serverfault.com/questions/869585/kerberos-kdc-wont-start-invalid-credentials),
but to no avail.
Here is the Bash script I am using for testing:
https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=sharing
Kind regards,
Travis Bean
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
