辅助 Kerberos KDC 未启动

tag-icon tag-icon linux kerberos openldap
辅助 Kerberos KDC 未启动

我已按照本指南使用 LDAP 后端配置了 Kerberos:https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend

但是,我的辅助 KDC 没有启动;journalctl报告:

Sep 13 11:57:34 node2 systemd[1]: Started Kerberos 5 KDC.
Sep 13 11:57:34 node2 krb5kdc[2667437]: krb5kdc: cannot initialize realm EXAMPLE.COM - see log file for details
Sep 13 11:57:34 node2 krb5kdc[2667437]: Unable to read Realm: Unable to access Kerberos database - while initializing database for realm EXAMPLE.COM
Sep 13 11:57:34 node2 systemd[1]: krb5-kdc.service: Main process exited, code=exited, status=1/FAILURE
Sep 13 11:57:34 node2 systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Sep 13 11:57:34 node2 systemd[1]: krb5-kdc.service: Scheduled restart job, restart counter is at 5.
Sep 13 11:57:34 node2 systemd[1]: Stopped Kerberos 5 KDC.
Sep 13 11:57:34 node2 systemd[1]: krb5-kdc.service: Start request repeated too quickly.
Sep 13 11:57:34 node2 systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Sep 13 11:57:34 node2 systemd[1]: Failed to start Kerberos 5 KDC.

我该如何进一步调试它?

我的/etc/krb5.conf,在两个节点上node1&node2看起来像:

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
     EXAMPLE.COM = {
        admin_server = node1.example.com
        kdc = node1.example.com
        kdc = node2.example.com
        default_principal_flags = +preauth
        database_module = openldap_ldapconf
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

[dbdefaults]
    ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com

[dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        # if either of these is false, then the ldap_kdc_dn needs to
        # have write access
        disable_last_success = true
        disable_lockout  = true

        # this object needs to have read rights on
        # the realm container, principal container and realm sub-trees
        ldap_kdc_dn = "uid=kdc-service,dc=example,dc=com"

        # this object needs to have read and write rights on
        # the realm container, principal container and realm sub-trees
        ldap_kadmind_dn = "uid=kadmin-service,dc=example,dc=com"

        ldap_service_password_file = /var/lib/krb5kdc/service.keyfile
        ldap_servers = ldaps:///node1.example.com ldaps:///node2.example.com
        ldap_conns_per_server = 5
    }

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE

该文件/var/lib/krb5kdc/kdc.conf也在两个节点之间同步:

[kdcdefaults]
        kdc_listen = 88
        kdc_tcp_listen = 88

[realms]
    MICROPSI-INDUSTRIES.DE = {
        database_name = /var/lib/krb5kdc/principal
        acl_file = /var/lib/krb5kdc/kadm5.acl
        key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
    }

我还从复制到node1node2文件/var/lib/krb5kdc/{service.keyfile,kadm5.acl,.k5.EXAMPLE.COM}

相关内容