O Kerberos KDC não será iniciado: credenciais inválidas

1

Estou com problemas no servidor kerberos (back-end do LDAP). Eu queria reiniciar o serviço KDC e ele falhou. Tem funcionado bem por várias semanas.

Como eu tinha acabado de ajustar as ACLs do LDAP, tentei os seguintes comandos:

$ slapacl -D cn=kdc-srv,ou=krb5,dc=example,dc=org -b ou=krb5,dc=example,dc=org entry/read
authcDN: "cn=kdc-srv,ou=krb5,dc=example,dc=org"
read access to entry: ALLOWED

-

$ ldapsearch -b ou=krb5,dc=example,dc=org -D 'cn=kdc-srv,ou=krb5,dc=example,dc=org' -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

-

O resultado do segundo comando não faz nenhum sentido para mim. Como pode ser permitido e ainda falhar?

EDIT: Além disso, se eu fizer isso:

ldapsearch -Y EXTERNAL -H ldapi:// -b ou=krb5,dc=example,dc=org -D 'cn=kdc-srv,ou=krb5,dc=example,dc=org' -W

Eu recebo No such object (32) .

-

Primeiro, comparei a senha do DN do KDC no diretório LDAP com aquela armazenada em /etc/krb5kdc/service.keyfile e elas são as mesmas.

Aqui estão os registros ao tentar reiniciar o KDC:

systemd: Starting Kerberos 5 Key Distribution Center...
-- Subject: Unit krb5-kdc.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit krb5-kdc.service has begun starting up.
krb5kdc: Couldn't open log file /var/log/krb5/kdc.log: Read-only file system
slapd: conn=1055 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
slapd: conn=1055 op=0 BIND dn="" method=128
slapd: conn=1055 op=0 RESULT tag=97 err=0 text=
slapd: conn=1055 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
slapd: conn=1055 op=1 SRCH attr=supportedFeatures
slapd: conn=1055 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd: conn=1055 op=2 UNBIND
slapd: conn=1055 fd=14 closed
slapd: conn=1056 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
slapd: conn=1056 op=0 BIND dn="cn=kdc-srv,ou=krb5,dc=example,dc=org" method=128
slapd: conn=1056 op=0 RESULT tag=97 err=49 text=
krb5kdc: Cannot bind to LDAP server 'ldapi://' as 'cn=kdc-srv,ou=krb5,dc=example,dc=org': Invalid credentials - while initializing database for realm EXAMPLE.ORG
krb5kdc: krb5kdc: cannot initialize realm EXAMPLE.ORG - see log file for details
systemd: krb5-kdc.service: Control process exited, code=exited status=1
systemd: Failed to start Kerberos 5 Key Distribution Center.
-- Subject: Unit krb5-kdc.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit krb5-kdc.service has failed.
-- 
-- The result is failed.
systemd]: krb5-kdc.service: Unit entered failed state.
systemd: krb5-kdc.service: Failed with result 'exit-code'.
slapd: conn=1056 fd=14 closed (connection lost)

-

E aqui estão as ACLs do LDAP:

olcAccess: {0}to dn.subtree="ou=krb5,dc=example,dc=org"
  by dn.exact="cn=adm-srv,ou=krb5,dc=example,dc=org" write
  by dn.exact="cn=kdc-srv,ou=krb5,dc=example,dc=org" read
  by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
  by dn.exact="cn=other,dc=example,dc=org" write
  by anonymous auth
  by * none
olcAccess: {2}to dn.subtree="ou=people,dc=example,dc=org"
  by dn.exact="cn=other,dc=example,dc=org" write
  ...
  by * none
...
olcAccess: {6}to dn.subtree="ou=systems,dc=example,dc=org"
  by dn.exact="cn=other,dc=example,dc=org" write
  ...
  by * none
olcAccess: {7}to dn.base=""
  by * read
olcAccess: {8}to *
  by dn.exact="cn=other,dc=example,dc= org" write
  by users search
  by * none

Alguma idéia?

    
por DBLouis 20.08.2017 / 16:12

1 resposta

0

As ACLs estavam erradas. Eu adicionei uma linha by anonymous auth ao primeiro:

olcAccess: {0}to dn.subtree="ou=krb5,dc=example,dc=org"
  by dn.exact="cn=adm-srv,ou=krb5,dc=example,dc=org" write
  by dn.exact="cn=kdc-srv,ou=krb5,dc=example,dc=org" read
  by anonymous auth
  by * none
    
por 20.08.2017 / 19:01