Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Currently we are trying to integrate kerberos with openldap . Please see the below steps along with the necessary configuration details we are facing the issue in bringing kadmin service up . Please see the error details as mentioned below.
1st step
***************
[root@xxxxxxxx openldap]# sudo yum -y install krb5-server krb5-server-ldap
Loaded plugins: langpacks, product-id, search-disabled-repos
Package krb5-server-1.15.1-37.el7_6.x86_64 already installed and latest version
Package krb5-server-ldap-1.15.1-37.el7_6.x86_64 already installed and latest version Nothing to do
2nd step
**********
[root@xxxxxxxx openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*krb5kdc" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/krb5kdc , /sbin/service krb5kdc *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
[root@lvmbgmnp1007 openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*kadmin" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/kadmin , /sbin/service kadmin *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
3rd step
***************
[root@xxxxxxxx openldap]# sudo chkconfig kadmin on
Note: Forwarding request to 'systemctl enable kadmin.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
Hello Team,
Currently we are trying to integrate kerberos with openldap . Please see the below steps along with the necessary configuration details we are facing the issue in bringing kadmin service up . Please see the error details as mentioned below.
Code:
1st step
***************
[root@xxxxxxxx openldap]# sudo yum -y install krb5-server krb5-server-ldap
Loaded plugins: langpacks, product-id, search-disabled-repos
Package krb5-server-1.15.1-37.el7_6.x86_64 already installed and latest version
Package krb5-server-ldap-1.15.1-37.el7_6.x86_64 already installed and latest version Nothing to do
2nd step
**********
[root@xxxxxxxx openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*krb5kdc" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/krb5kdc , /sbin/service krb5kdc *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
[root@lvmbgmnp1007 openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*kadmin" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/kadmin , /sbin/service kadmin *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
3rd step
***************
[root@xxxxxxxx openldap]# sudo chkconfig kadmin on
Note: Forwarding request to 'systemctl enable kadmin.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
4th step
************
[root@xxxxxxxx krb5kdc]# vi kadm5.acl
[root@xxxxxxxx krb5kdc]# cat kadm5.acl
* /admin@NP-BIGDATA.EQH *
5th step
************
[root@lvmbgmnp1007 krb5kdc]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
#Setup /etc/krb5.conf to use Bigdata KDC as default
[libdefaults]
default_realm = NP-BIGDATA.EQH
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
NP-BIGDATA.EQH = {
kdc = ldap.np-bigdata.eqh:88
admin_server = ldap.np-bigdata.eqh:749
}
[domain_realm]
np-bigdata.eqh = NP-BIGDATA.EQH
.np-bigdata.eqh = NP-BIGDATA.EQH
COMMAND
************
[root@xxxxxxxx etc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Update ldap.keyfile under /var/Kerberos/krb5kdc and create adm-service password
6TH STEP
*************
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
7th step
**********
[root@xxxxxxxx etc]# cd /var/kerberos/krb5kdc
[root@xxxxxxxx krb5kdc]# ls -ltr
total 12
-rw------- 1 root root 451 Dec 18 2018 kdc.conf
-rw------- 1 root root 26 Nov 30 02:43 kadm5.acl
-rw------- 1 root root 92 Nov 30 04:19 ldap.keyfile
[root@lvmbgmnp1007 krb5kdc]# cat ldap.keyfile
cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}4753464b494d574f45695451394d654c404e50
cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}586d6e3056487a6d784a4a5746556b6a404e50
8th step
*************
Create KDC master password
****************************
setup the KDC.CONF
**********************
[root@xxxxxxxx krb5kdc]# vi kdc.conf
[root@xxxxxxxx krb5kdc]# cat kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
NP-BIGDATA.EQH = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
database_module = openldap_ldapconfbd
}
[dbmodules]
openldap_ldapconfbd = {
db_library = kldap
ldap_kdc_dn = cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
ldap_kadmind_dn = cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
ldap_service_password_file = /var/kerberos/krb5kdc/ldap.keyfile
ldap_servers = ldapi://
ldap_kerberos_container_dn = cn=kerberos,dc=np-bigdata,dc=eqh
ldap_conns_per_server = 5
}
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util -H ldapi:// -D cn=Manager,dc=np-bigdata,dc=eqh create -subtrees ou=Users,dc=np-bigdata,dc=eqh -r NP-BIGDATA.EQH -s
Password for "cn=Manager,dc=np-bigdata,dc=eqh":
Initializing database for realm 'NP-BIGDATA.EQH'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@lvmbgmnp1007 krb5kdc]#
8TH STEP
************
[root@lvmbgmnp1007 openldap]# systemctl stop kadmin.service
[root@lvmbgmnp1007 openldap]# systemctl start kadmin.service
Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details.
[root@lvmbgmnp1007 openldap]# systemctl status kadmin.service
â kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2019-12-02 02:09:31 EST; 17s ago
Process: 126983 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=1/FAILURE)
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Starting Kerberos 5 Password-changing and Administration...
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh _kadmind[126983]: kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Inval..., aborting
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service: control process exited, code=exited status=1
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Unit kadmin.service entered failed state.
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@lvmbgmnp1007 log]# cat kadmind.log
Dec 01 05:11:05 lvmbgmnp1007.np-bigdata.eqh kadmind[22121](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 01 05:14:27 lvmbgmnp1007.np-bigdata.eqh kadmind[22844](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 01 05:19:40 lvmbgmnp1007.np-bigdata.eqh kadmind[23910](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 02 02:06:51 lvmbgmnp1007.np-bigdata.eqh kadmind[126469](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh kadmind[126983](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Thanks and Regards
Bibhu
Read the LQ Rules and the "Question Guidelines" and "How to ask a smart question" links in my posting signature. We aren't members of your 'team', and this is NOT urgent for anyone here. We volunteer our time to help folks, and if you need urgent help, I'd suggest you pay for either Red Hat or SuSE Enterprise Linux, and their support will be there 24/7 for you.
Past that, you have not told us what version/distro of Linux you're using, and while you've provided details about what you've done, you seem to have not read things that you've posted. I have bolded some lines in your post for emphasis. Have you looked at the logs as has been suggested by the "See "systemctl status kadmin.service" and "journalctl -xe" for details" line??? And the error you're getting is fairly clear: your server can't bind to LDAP, either because of incorrect credentials, keys, or some network issue. Which of those we can't tell you, since the relevant logs aren't here.
Read the LQ Rules and the "Question Guidelines" and "How to ask a smart question" links in my posting signature. We aren't members of your 'team', and this is NOT urgent for anyone here. We volunteer our time to help folks, and if you need urgent help, I'd suggest you pay for either Red Hat or SuSE Enterprise Linux, and their support will be there 24/7 for you.
Past that, you have not told us what version/distro of Linux you're using, and while you've provided details about what you've done, you seem to have not read things that you've posted. I have bolded some lines in your post for emphasis. Have you looked at the logs as has been suggested by the "See "systemctl status kadmin.service" and "journalctl -xe" for details" line??? And the error you're getting is fairly clear: your server can't bind to LDAP, either because of incorrect credentials, keys, or some network issue. Which of those we can't tell you, since the relevant logs aren't here.
>>>>
Dear TBOne,
Hope you are doing good thanks for addressing this issue. As requested here are the details of operating system
[root@lvmbgmnp1007 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
[root@lvmbgmnp1007 ~]#
[root@lvmbgmnp1007 ~]# systemctl restart kadmin.service
Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details.
[root@lvmbgmnp1007 ~]# journalctl -xe
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit user-0.slice has finished shutting down.
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=0 BIND dn="cn=Manager,dc=np-bigdata,dc=eqh" method=128
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=0 BIND dn="cn=Manager,dc=np-bigdata,dc=eqh" mech=SIMPLE ssf=0
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=0 RESULT tag=97 err=0 text=
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=1 SRCH base="dc=np-bigdata,dc=eqh" scope=2 deref=0 filter="(objectClass=*)"
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=1 SEARCH RESULT tag=101 err=0 nentries=16 text=
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=2 UNBIND
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 fd=11 closed
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh polkitd[1589]: Registered Authentication Agent for unix-process:100306:95381369 (system bus name :1.138697 [/usr/bin/pkttyagent --notify-fd 5 --fa
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Starting Kerberos 5 Password-changing and Administration...
-- Subject: Unit kadmin.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit kadmin.service has begun starting up.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=0 BIND dn="" method=128
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=0 RESULT tag=97 err=0 text=
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh _kadmind[100313]: kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credential
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service: control process exited, code=exited status=1
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=1 SRCH attr=supportedFeatures
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.
-- Subject: Unit kadmin.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit kadmin.service has failed.
--
-- The result is failed.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Unit kadmin.service entered failed state.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=2 UNBIND
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service failed.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 fd=11 closed
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 op=0 BIND dn="cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh" method=128
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 op=0 RESULT tag=97 err=49 text=
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 fd=11 closed (connection lost)
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh polkitd[1589]: Unregistered Authentication Agent for unix-process:100306:95381369 (system bus name :1.138697, object path /org/freedesktop/PolicyK
[root@lvmbgmnp1007 ~]#
As you mentioned earlier could you please help us to understand the issue . Is that because of network related issue or password mismatch .
>>>>
Hope you are doing good thanks for addressing this issue. As requested here are the details of operating system
Code:
[root@lvmbgmnp1007 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
[root@lvmbgmnp1007 ~]# systemctl restart kadmin.service
Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details.
[root@lvmbgmnp1007 ~]# journalctl -xe
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit user-0.slice has finished shutting down.
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=0 BIND dn="cn=Manager,dc=np-bigdata,dc=eqh" method=128
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=0 BIND dn="cn=Manager,dc=np-bigdata,dc=eqh" mech=SIMPLE ssf=0
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=0 RESULT tag=97 err=0 text=
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=1 SRCH base="dc=np-bigdata,dc=eqh" scope=2 deref=0 filter="(objectClass=*)"
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=1 SEARCH RESULT tag=101 err=0 nentries=16 text=
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 op=2 UNBIND
Dec 02 11:31:02 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1033 fd=11 closed
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh polkitd[1589]: Registered Authentication Agent for unix-process:100306:95381369 (system bus name :1.138697 [/usr/bin/pkttyagent --notify-fd 5 --fa
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Starting Kerberos 5 Password-changing and Administration...
-- Subject: Unit kadmin.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit kadmin.service has begun starting up.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=0 BIND dn="" method=128
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=0 RESULT tag=97 err=0 text=
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh _kadmind[100313]: kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credential
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service: control process exited, code=exited status=1
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=1 SRCH attr=supportedFeatures
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.
-- Subject: Unit kadmin.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit kadmin.service has failed.
--
-- The result is failed.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Unit kadmin.service entered failed state.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 op=2 UNBIND
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service failed.
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1034 fd=11 closed
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 fd=11 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 op=0 BIND dn="cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh" method=128
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 op=0 RESULT tag=97 err=49 text=
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh slapd[38341]: conn=1035 fd=11 closed (connection lost)
Dec 02 11:31:13 lvmbgmnp1007.np-bigdata.eqh polkitd[1589]: Unregistered Authentication Agent for unix-process:100306:95381369 (system bus name :1.138697, object path /org/freedesktop/PolicyK
[root@lvmbgmnp1007 ~]#
As you mentioned earlier could you please help us to understand the issue . Is that because of network related issue or password mismatch .
So as said before, this is NOT urgent for anyone here...and you're using Red Hat Enterprise, which is a commercial, pay-for distro. Have you contacted the Red Hat support you're paying for? You are PAYING for RHEL, right???
And again, as said before, did you read the messages you got previously??? It's telling you very plainly that you're passing invalid credentials, or your LDAP server can't authenticate you. Since you tell us NOTHING about your environment, we don't/can't know if there is a firewall issue or anything else invloved. But since this is 'urgent' for you, have you tried different credentials??
You need to contact Red Hat support; this could very well be related to a known bug (which has been patched). If you're paying for RHEL, you should already have access to the online repositories, and be able to apply the updates.
Thank you so much for your suggestion and support . This is the new setup which we are trying to build in our environment , we have sent an email to vendor support but no luck yet .
It would be great if you have any suggestions further for this issue. Regarding authentication , error is indicating to " kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credential" , based on error I am trying to set the password of 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh' using below commands but still the same error is reflecting.
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
[root@xxxxxxxx etc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
[root@lvmbgmnp1007 krb5kdc]# cat ldap.keyfile
cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}4753464b494d574f45695451394d654c404e50
cn=adm-service,ou=Services,dc=np-igdata,dc=eqh#{HEX}586d6e3056487a6d784a4a5746556b6a404e50
Thank you so much for your suggestion and support . This is the new setup which we are trying to build in our environment , we have sent an email to vendor support but no luck yet .
Have you called them??? RHEL support is available 24/7...hard to imagine a scenario where they wouldn't get back to you very quickly.
Quote:
It would be great if you have any suggestions further for this issue. Regarding authentication , error is indicating to
Code:
" kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credential"
based on error I am trying to set the password of 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh' using below commands but still the same error is reflecting.
Code:
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
[root@xxxxxxxx etc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
[root@lvmbgmnp1007 krb5kdc]# cat ldap.keyfile
cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}4753464b494d574f45695451394d654c404e50
cn=adm-service,ou=Services,dc=np-igdata,dc=eqh#{HEX}586d6e3056487a6d784a4a5746556b6a404e50
You need to post such things in CODE tags, since they're almost unreadable as is. And I have answered that question twice already, and asked you things, such as what you've tried, your environment, etc.
AGAIN: your message is VERY clear; it is plainly telling you that you have invalid credentials. As far as why, we cannot speculate, since we know NOTHING about your setup, past what you've posted. You STILL haven't said what you've tried to get this to work...have you done **ANY** sort of diagnostics at all??? You were told about patches that fix bugs related to SSSD/Kerberos...as a paying client (as you claim), have you applied those patches?? There is a complete guide to this in the Red Hat knowledgebase: https://access.redhat.com/documentat...onfig-kerberos
Have you tried doing a basic ldap search for the user in question with the credentials specified, to see if it works at all??
Sorry, but are you not paying attention??? DO NOT Post huge chunks of things like that without putting them in CODE tags; you've been told/asked several times, and you continue to do it. GO back, edit your posts, and put these things in CODE tags so it can be at least a little bit readable.
And having to ask things over and over without getting answers to question isn't good; if you want help, go back and re-read the things you've been asked, and ANSWER THEM. And AGAIN, you need to contact Red Hat support, read their knowlegebase articles about how to do this, and especially the errata/bug fixes which you (as a paying customer), can access. Without the patches, you WILL NOT be able to get this working, period.
If you are going to ignore what you're asked (CODE tags, answering questions, etc.), there is nothing anyone can do for you, and there's not much point in posting.
Sorry, but are you not paying attention??? DO NOT Post huge chunks of things like that without putting them in CODE tags; you've been told/asked several times, and you continue to do it. GO back, edit your posts, and put these things in CODE tags so it can be at least a little bit readable.
And having to ask things over and over without getting answers to question isn't good; if you want help, go back and re-read the things you've been asked, and ANSWER THEM. And AGAIN, you need to contact Red Hat support, read their knowlegebase articles about how to do this, and especially the errata/bug fixes which you (as a paying customer), can access. Without the patches, you WILL NOT be able to get this working, period.
If you are going to ignore what you're asked (CODE tags, answering questions, etc.), there is nothing anyone can do for you, and there's not much point in posting.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.