Estou com problemas no servidor kerberos (back-end do LDAP). Eu queria reiniciar o serviço KDC e ele falhou. Tem funcionado bem por várias semanas.
Como eu tinha acabado de ajustar as ACLs do LDAP, tentei os seguintes comandos:
$ slapacl -D cn=kdc-srv,ou=krb5,dc=example,dc=org -b ou=krb5,dc=example,dc=org entry/read
authcDN: "cn=kdc-srv,ou=krb5,dc=example,dc=org"
read access to entry: ALLOWED
-
$ ldapsearch -b ou=krb5,dc=example,dc=org -D 'cn=kdc-srv,ou=krb5,dc=example,dc=org' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
-
O resultado do segundo comando não faz nenhum sentido para mim. Como pode ser permitido e ainda falhar?
EDIT: Além disso, se eu fizer isso:
ldapsearch -Y EXTERNAL -H ldapi:// -b ou=krb5,dc=example,dc=org -D 'cn=kdc-srv,ou=krb5,dc=example,dc=org' -W
Eu recebo No such object (32) .
-
Primeiro, comparei a senha do DN do KDC no diretório LDAP com aquela armazenada em /etc/krb5kdc/service.keyfile e elas são as mesmas.
Aqui estão os registros ao tentar reiniciar o KDC:
systemd: Starting Kerberos 5 Key Distribution Center...
-- Subject: Unit krb5-kdc.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit krb5-kdc.service has begun starting up.
krb5kdc: Couldn't open log file /var/log/krb5/kdc.log: Read-only file system
slapd: conn=1055 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
slapd: conn=1055 op=0 BIND dn="" method=128
slapd: conn=1055 op=0 RESULT tag=97 err=0 text=
slapd: conn=1055 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
slapd: conn=1055 op=1 SRCH attr=supportedFeatures
slapd: conn=1055 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd: conn=1055 op=2 UNBIND
slapd: conn=1055 fd=14 closed
slapd: conn=1056 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
slapd: conn=1056 op=0 BIND dn="cn=kdc-srv,ou=krb5,dc=example,dc=org" method=128
slapd: conn=1056 op=0 RESULT tag=97 err=49 text=
krb5kdc: Cannot bind to LDAP server 'ldapi://' as 'cn=kdc-srv,ou=krb5,dc=example,dc=org': Invalid credentials - while initializing database for realm EXAMPLE.ORG
krb5kdc: krb5kdc: cannot initialize realm EXAMPLE.ORG - see log file for details
systemd: krb5-kdc.service: Control process exited, code=exited status=1
systemd: Failed to start Kerberos 5 Key Distribution Center.
-- Subject: Unit krb5-kdc.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit krb5-kdc.service has failed.
--
-- The result is failed.
systemd]: krb5-kdc.service: Unit entered failed state.
systemd: krb5-kdc.service: Failed with result 'exit-code'.
slapd: conn=1056 fd=14 closed (connection lost)
-
E aqui estão as ACLs do LDAP:
olcAccess: {0}to dn.subtree="ou=krb5,dc=example,dc=org"
by dn.exact="cn=adm-srv,ou=krb5,dc=example,dc=org" write
by dn.exact="cn=kdc-srv,ou=krb5,dc=example,dc=org" read
by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
by dn.exact="cn=other,dc=example,dc=org" write
by anonymous auth
by * none
olcAccess: {2}to dn.subtree="ou=people,dc=example,dc=org"
by dn.exact="cn=other,dc=example,dc=org" write
...
by * none
...
olcAccess: {6}to dn.subtree="ou=systems,dc=example,dc=org"
by dn.exact="cn=other,dc=example,dc=org" write
...
by * none
olcAccess: {7}to dn.base=""
by * read
olcAccess: {8}to *
by dn.exact="cn=other,dc=example,dc= org" write
by users search
by * none
Alguma idéia?
As ACLs estavam erradas. Eu adicionei uma linha by anonymous auth ao primeiro:
olcAccess: {0}to dn.subtree="ou=krb5,dc=example,dc=org"
by dn.exact="cn=adm-srv,ou=krb5,dc=example,dc=org" write
by dn.exact="cn=kdc-srv,ou=krb5,dc=example,dc=org" read
by anonymous auth
by * none