URGENT:KADMIN service failed to start
by patnaik.bibhu@gmail.com from LinuxQuestions.org on (#4VZ32)
Hello Team,
Currently we are trying to integrate kerberos with openldap . Please see the below steps along with the necessary configuration details we are facing the issue in bringing kadmin service up . Please see the error details as mentioned below.
1st step
***************
[root@xxxxxxxx openldap]# sudo yum -y install krb5-server krb5-server-ldap
Loaded plugins: langpacks, product-id, search-disabled-repos
Package krb5-server-1.15.1-37.el7_6.x86_64 already installed and latest version
Package krb5-server-ldap-1.15.1-37.el7_6.x86_64 already installed and latest version Nothing to do
2nd step
**********
[root@xxxxxxxx openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*krb5kdc" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/krb5kdc , /sbin/service krb5kdc *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
[root@lvmbgmnp1007 openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*kadmin" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/kadmin , /sbin/service kadmin *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
3rd step
***************
[root@xxxxxxxx openldap]# sudo chkconfig kadmin on
Note: Forwarding request to 'systemctl enable kadmin.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
4th step
************
[root@xxxxxxxx krb5kdc]# vi kadm5.acl
[root@xxxxxxxx krb5kdc]# cat kadm5.acl
* /admin@NP-BIGDATA.EQH *
5th step
************
[root@lvmbgmnp1007 krb5kdc]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
#Setup /etc/krb5.conf to use Bigdata KDC as default
[libdefaults]
default_realm = NP-BIGDATA.EQH
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
NP-BIGDATA.EQH = {
kdc = ldap.np-bigdata.eqh:88
admin_server = ldap.np-bigdata.eqh:749
}
[domain_realm]
np-bigdata.eqh = NP-BIGDATA.EQH
.np-bigdata.eqh = NP-BIGDATA.EQH
COMMAND
************
[root@xxxxxxxx etc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Update ldap.keyfile under /var/Kerberos/krb5kdc and create adm-service password
6TH STEP
*************
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
7th step
**********
[root@xxxxxxxx etc]# cd /var/kerberos/krb5kdc
[root@xxxxxxxx krb5kdc]# ls -ltr
total 12
-rw------- 1 root root 451 Dec 18 2018 kdc.conf
-rw------- 1 root root 26 Nov 30 02:43 kadm5.acl
-rw------- 1 root root 92 Nov 30 04:19 ldap.keyfile
[root@lvmbgmnp1007 krb5kdc]# cat ldap.keyfile
cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}4753464b494d574f45695451394d654c404e50
cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}586d6e3056487a6d784a4a5746556b6a404e50
8th step
*************
Create KDC master password
****************************
setup the KDC.CONF
**********************
[root@xxxxxxxx krb5kdc]# vi kdc.conf
[root@xxxxxxxx krb5kdc]# cat kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
NP-BIGDATA.EQH = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
database_module = openldap_ldapconfbd
}
[dbmodules]
openldap_ldapconfbd = {
db_library = kldap
ldap_kdc_dn = cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
ldap_kadmind_dn = cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
ldap_service_password_file = /var/kerberos/krb5kdc/ldap.keyfile
ldap_servers = ldapi://
ldap_kerberos_container_dn = cn=kerberos,dc=np-bigdata,dc=eqh
ldap_conns_per_server = 5
}
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util -H ldapi:// -D cn=Manager,dc=np-bigdata,dc=eqh create -subtrees ou=Users,dc=np-bigdata,dc=eqh -r NP-BIGDATA.EQH -s
Password for "cn=Manager,dc=np-bigdata,dc=eqh":
Initializing database for realm 'NP-BIGDATA.EQH'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@lvmbgmnp1007 krb5kdc]#
8TH STEP
************
[root@lvmbgmnp1007 openldap]# systemctl stop kadmin.service
[root@lvmbgmnp1007 openldap]# systemctl start kadmin.service
Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details.
[root@lvmbgmnp1007 openldap]# systemctl status kadmin.service
i kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2019-12-02 02:09:31 EST; 17s ago
Process: 126983 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=1/FAILURE)
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Starting Kerberos 5 Password-changing and Administration...
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh _kadmind[126983]: kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Inval..., aborting
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service: control process exited, code=exited status=1
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Unit kadmin.service entered failed state.
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@lvmbgmnp1007 log]# cat kadmind.log
Dec 01 05:11:05 lvmbgmnp1007.np-bigdata.eqh kadmind[22121](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 01 05:14:27 lvmbgmnp1007.np-bigdata.eqh kadmind[22844](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 01 05:19:40 lvmbgmnp1007.np-bigdata.eqh kadmind[23910](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 02 02:06:51 lvmbgmnp1007.np-bigdata.eqh kadmind[126469](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh kadmind[126983](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Thanks and Regards
Bibhu
Currently we are trying to integrate kerberos with openldap . Please see the below steps along with the necessary configuration details we are facing the issue in bringing kadmin service up . Please see the error details as mentioned below.
1st step
***************
[root@xxxxxxxx openldap]# sudo yum -y install krb5-server krb5-server-ldap
Loaded plugins: langpacks, product-id, search-disabled-repos
Package krb5-server-1.15.1-37.el7_6.x86_64 already installed and latest version
Package krb5-server-ldap-1.15.1-37.el7_6.x86_64 already installed and latest version Nothing to do
2nd step
**********
[root@xxxxxxxx openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*krb5kdc" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/krb5kdc , /sbin/service krb5kdc *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
[root@lvmbgmnp1007 openldap]# sudo /bin/grep -q "^%cloudera-scm\ *ALL=NOPASSWD:.*kadmin" /etc/sudoers || echo "%cloudera-scm ALL=NOPASSWD:/etc/init.d/kadmin , /sbin/service kadmin *" | sudo /usr/bin/tee -a /etc/sudoers > /dev/null
3rd step
***************
[root@xxxxxxxx openldap]# sudo chkconfig kadmin on
Note: Forwarding request to 'systemctl enable kadmin.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
4th step
************
[root@xxxxxxxx krb5kdc]# vi kadm5.acl
[root@xxxxxxxx krb5kdc]# cat kadm5.acl
* /admin@NP-BIGDATA.EQH *
5th step
************
[root@lvmbgmnp1007 krb5kdc]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
#Setup /etc/krb5.conf to use Bigdata KDC as default
[libdefaults]
default_realm = NP-BIGDATA.EQH
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
NP-BIGDATA.EQH = {
kdc = ldap.np-bigdata.eqh:88
admin_server = ldap.np-bigdata.eqh:749
}
[domain_realm]
np-bigdata.eqh = NP-BIGDATA.EQH
.np-bigdata.eqh = NP-BIGDATA.EQH
COMMAND
************
[root@xxxxxxxx etc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=kdc-service,ou=services,dc=np-bigdata,dc=eqh":
Update ldap.keyfile under /var/Kerberos/krb5kdc and create adm-service password
6TH STEP
*************
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util stashsrvpw -f /var/kerberos/krb5kdc/ldap.keyfile cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
Password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
Re-enter password for "cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh":
7th step
**********
[root@xxxxxxxx etc]# cd /var/kerberos/krb5kdc
[root@xxxxxxxx krb5kdc]# ls -ltr
total 12
-rw------- 1 root root 451 Dec 18 2018 kdc.conf
-rw------- 1 root root 26 Nov 30 02:43 kadm5.acl
-rw------- 1 root root 92 Nov 30 04:19 ldap.keyfile
[root@lvmbgmnp1007 krb5kdc]# cat ldap.keyfile
cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}4753464b494d574f45695451394d654c404e50
cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh#{HEX}586d6e3056487a6d784a4a5746556b6a404e50
8th step
*************
Create KDC master password
****************************
setup the KDC.CONF
**********************
[root@xxxxxxxx krb5kdc]# vi kdc.conf
[root@xxxxxxxx krb5kdc]# cat kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
NP-BIGDATA.EQH = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
database_module = openldap_ldapconfbd
}
[dbmodules]
openldap_ldapconfbd = {
db_library = kldap
ldap_kdc_dn = cn=kdc-service,ou=Services,dc=np-bigdata,dc=eqh
ldap_kadmind_dn = cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh
ldap_service_password_file = /var/kerberos/krb5kdc/ldap.keyfile
ldap_servers = ldapi://
ldap_kerberos_container_dn = cn=kerberos,dc=np-bigdata,dc=eqh
ldap_conns_per_server = 5
}
[root@xxxxxxxx krb5kdc]# kdb5_ldap_util -H ldapi:// -D cn=Manager,dc=np-bigdata,dc=eqh create -subtrees ou=Users,dc=np-bigdata,dc=eqh -r NP-BIGDATA.EQH -s
Password for "cn=Manager,dc=np-bigdata,dc=eqh":
Initializing database for realm 'NP-BIGDATA.EQH'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@lvmbgmnp1007 krb5kdc]#
8TH STEP
************
[root@lvmbgmnp1007 openldap]# systemctl stop kadmin.service
[root@lvmbgmnp1007 openldap]# systemctl start kadmin.service
Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details.
[root@lvmbgmnp1007 openldap]# systemctl status kadmin.service
i kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2019-12-02 02:09:31 EST; 17s ago
Process: 126983 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=1/FAILURE)
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Starting Kerberos 5 Password-changing and Administration...
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh _kadmind[126983]: kadmind: kadmind: Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Inval..., aborting
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service: control process exited, code=exited status=1
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: Unit kadmin.service entered failed state.
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh systemd[1]: kadmin.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@lvmbgmnp1007 log]# cat kadmind.log
Dec 01 05:11:05 lvmbgmnp1007.np-bigdata.eqh kadmind[22121](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 01 05:14:27 lvmbgmnp1007.np-bigdata.eqh kadmind[22844](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 01 05:19:40 lvmbgmnp1007.np-bigdata.eqh kadmind[23910](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 02 02:06:51 lvmbgmnp1007.np-bigdata.eqh kadmind[126469](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Dec 02 02:09:31 lvmbgmnp1007.np-bigdata.eqh kadmind[126983](Error): Cannot bind to LDAP server 'ldapi://' as 'cn=adm-service,ou=Services,dc=np-bigdata,dc=eqh': Invalid credentials while initializing, aborting
Thanks and Regards
Bibhu