[39549] in Kerberos
Re: bind to LDAP server produces "invalid credentials" error
daemon@ATHENA.MIT.EDU (Travis Bean)
Fri Sep 5 12:49:02 2025
MIME-Version: 1.0
In-Reply-To: <CAFk47JgQFhX56N0sBJ8PtddDPhH6fei-cBGt8nAKO+ddeM4rBA@mail.gmail.com>
From: Travis Bean <tbean74@gmail.com>
Date: Fri, 5 Sep 2025 09:49:44 -0700
Message-ID: <CAFk47JjtkzwzQ6EVDATyGehxCBB48Rn4msx32fFncDMFJxbW8w@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sat, Aug 23, 2025 at 6:10 PM Travis Bean <tbean74@gmail.com> wrote:
>
> On Fri, Aug 22, 2025 at 9:50 AM Travis Bean <tbean74@gmail.com> wrote:
> >
> > On Thu, Aug 21, 2025 at 10:56 AM Greg Hudson <ghudson@mit.edu> wrote:
> > >
> > > On 8/20/25 23:43, Travis Bean wrote:
> > > > “Cannot bind to LDAP server ldapi:/// as
> > > > ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
> > > > - while initializing database.”
> > >
> > > This means libkdb_ldap called ldap_sasl_bind_s() and got back an
> > > LDAP_INVALID_CREDENTIALS response, most likely indicating that the LDAP
> > > server didn't match the password from the service stash file.
>
> After extensive troubleshooting, I can definitely say this is a
> problem with my stash file.
>
> Perhaps there is a bug in kdb5_ldap_util since it is generating a
> malformed stash file.
My stash file is as follows:
cn=kdc-srv,cn=krbContainer,dc=example,dc=local#{HEX}41646d696e4b6579
cn=adm-srv,cn=krbContainer,dc=example,dc=local#{HEX}41646d696e4b6579
In my bug report, I just assumed the stash file must be malformed, but
this might not be the case. Even though the stash file doesn't look
malformed, perhaps the algorithm for encoding the file is incorrect?
If the stash file is used to authenticate the KDC to itself
automatically before starting the kadmind and krb5kdc daemons, why
would these daemons be failing to start if the stash file is encoded
correctly?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
