Skip Menu |
 

History Show all quoted textShow full headers
# Wed Aug 27 01:05:22 2025 Travis Bean <tbean74@gmail.com> - Ticket created
From: "Travis Bean" <tbean74@gmail.com>
Date: Tue, 26 Aug 2025 18:23:22 -0700
Subject: bug in kdb5_ldap_util
To: krb5-bugs@mit.edu
Download (untitled) / with headers
text/plain 1.2KiB
After I install Kerberos with an OpenLDAP backend, I cannot start
krb5-admin-server and krb5-kdc due to a malformed stash file.

When attempting to start krb5-admin-server, it produces the following error:

“Cannot bind to LDAP server ldapi:/// as
‘cn=adm-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
- while initializing database.”

When attempting to start krb5-kdc, it produces the following error:

“Cannot bind to LDAP server ldapi:/// as
‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials
- while initializing database.”

I used the following test.sh Bash script for testing:
https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=sharing

The part of this test.sh Bash script that is generating the stash file
is as follows:

echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \
-D uid=admin,ou=people,"$LDAP_BASE_DN" -w "$ADMIN_PASSWORD" stashsrvpw \
-f /etc/krb5kdc/service.keyfile cn=kdc-srv,cn=krbContainer,"$LDAP_BASE_DN"
echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \
-D uid=admin,ou=people,"$LDAP_BASE_DN" -w "$ADMIN_PASSWORD" stashsrvpw \
-f /etc/krb5kdc/service.keyfile cn=adm-srv,cn=krbContainer,"$LDAP_BASE_DN"

By the way, I am using Ubuntu Server 24.04.

Kind regards,

Travis Bean
# Wed Aug 27 01:15:44 2025 ghudson@mit.edu (Greg Hudson) - Correspondence added
Download (untitled) / with headers
text/html 723B
The service stash file should contain: 
cn=kdc-srv,cn=krbContainer,dc=example,dc=local#{HEX}...
cn=adm-srv,cn=krbContainer,dc=example,dc=local#{HEX}...
where the "..."s are the hex encoding of the supplied passwords.  In what way is the file malformed?  libkdb5_util is able to read a password from it, or you would see an error about reading the stash file instead of an error about the LDAP server rejecting the credentials.  If I run the given commands, the resulting file does not seem amiss.

(As an aside, the -D and -w options to these kdb5_ldap_util invocations should be unnecessary, as this subcommand does not need to authenticate to the LDAP server.)