我有麻烦我的Kerberos服务器(LDAP后端)。 我想重新启动KDC服务,并失败。 它已经工作好几个星期了。
由于我刚刚调整了LDAP ACL,我尝试了以下命令:
$ slapacl -D cn=kdc-srv,ou=krb5,dc=example,dc=org -b ou=krb5,dc=example,dc=org entry/read authcDN: "cn=kdc-srv,ou=krb5,dc=example,dc=org" read access to entry: ALLOWED –
$ ldapsearch -b ou=krb5,dc=example,dc=org -D 'cn=kdc-srv,ou=krb5,dc=example,dc=org' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
–
第二条命令的结果对我来说没有任何意义。 怎样才能被允许,但仍然失败?
编辑:另外,如果我这样做,而不是:
ldapsearch -Y EXTERNAL -H ldapi:// -b ou=krb5,dc=example,dc=org -D 'cn=kdc-srv,ou=krb5,dc=example,dc=org' -W
我得到No such object (32) 。
–
我首先将LDAP目录中的KDC DN的密码与/etc/krb5kdc/service.keyfile文件中的密码进行了比较,它们是相同的。
以下是试图重新启动KDC时的日志:
systemd: Starting Kerberos 5 Key Distribution Center... -- Subject: Unit krb5-kdc.service has begun start-up -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit krb5-kdc.service has begun starting up. krb5kdc: Couldn't open log file /var/log/krb5/kdc.log: Read-only file system slapd: conn=1055 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) slapd: conn=1055 op=0 BIND dn="" method=128 slapd: conn=1055 op=0 RESULT tag=97 err=0 text= slapd: conn=1055 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" slapd: conn=1055 op=1 SRCH attr=supportedFeatures slapd: conn=1055 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd: conn=1055 op=2 UNBIND slapd: conn=1055 fd=14 closed slapd: conn=1056 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) slapd: conn=1056 op=0 BIND dn="cn=kdc-srv,ou=krb5,dc=example,dc=org" method=128 slapd: conn=1056 op=0 RESULT tag=97 err=49 text= krb5kdc: Cannot bind to LDAP server 'ldapi://' as 'cn=kdc-srv,ou=krb5,dc=example,dc=org': Invalid credentials - while initializing database for realm EXAMPLE.ORG krb5kdc: krb5kdc: cannot initialize realm EXAMPLE.ORG - see log file for details systemd: krb5-kdc.service: Control process exited, code=exited status=1 systemd: Failed to start Kerberos 5 Key Distribution Center. -- Subject: Unit krb5-kdc.service has failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- Unit krb5-kdc.service has failed. -- -- The result is failed. systemd]: krb5-kdc.service: Unit entered failed state. systemd: krb5-kdc.service: Failed with result 'exit-code'. slapd: conn=1056 fd=14 closed (connection lost)
–
这里是LDAP ACL:
olcAccess: {0}to dn.subtree="ou=krb5,dc=example,dc=org" by dn.exact="cn=adm-srv,ou=krb5,dc=example,dc=org" write by dn.exact="cn=kdc-srv,ou=krb5,dc=example,dc=org" read by * none olcAccess: {1}to attrs=userPassword,shadowLastChange by dn.exact="cn=other,dc=example,dc=org" write by anonymous auth by * none olcAccess: {2}to dn.subtree="ou=people,dc=example,dc=org" by dn.exact="cn=other,dc=example,dc=org" write ... by * none ... olcAccess: {6}to dn.subtree="ou=systems,dc=example,dc=org" by dn.exact="cn=other,dc=example,dc=org" write ... by * none olcAccess: {7}to dn.base="" by * read olcAccess: {8}to * by dn.exact="cn=other,dc=example,dc= org" write by users search by * none
有任何想法吗?
ACL是错误的。 我by anonymous auth添加了一行到第一个:
olcAccess: {0}to dn.subtree="ou=krb5,dc=example,dc=org" by dn.exact="cn=adm-srv,ou=krb5,dc=example,dc=org" write by dn.exact="cn=kdc-srv,ou=krb5,dc=example,dc=org" read by anonymous auth by * none