When starting the krb5-admin service, I receive the following error: “Cannot bind to LDAP server ldapi:/// as ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials - while initializing database.”

cn=kdc=srv,cn=krbContainer,dc=example,dc=local is referenced in my krb5.conf as ldap_kdc_dn.

It is also referenced in my password stashes as the following:

echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \

-D uid=admin,ou=people,dc=example,dc=local -w "$ADMIN_PASSWORD" stashsrvpw \

-f /etc/krb5kdc/service.keyfile cn=kdc-srv,cn=krbContainer,dc=example,dc=local

It is also referenced via ldappasswd:

ldappasswd -H ldapi:/// -D uid=admin,ou=people,dc=example,dc=local \

-w "$ADMIN_PASSWORD" -s "$ADMIN_PASSWORD" cn=kdc-srv,cn=krbContainer,dc=example,dc=local

It is also referenced in my following ACL:

olcAccess: to dn.subtree="cn=krbContainer,dc=example,dc=local"

by dn.exact="cn=adm-srv,cn=krbContainer,dc=example,dc=local" write

by dn.exact="cn=kdc-srv,cn=krbContainer,dc=example,dc=local" read

I thought it was one of my ACLs, but when I modified/removed my ACLs, the problem persisted. I followed this previous post about ACLs ( serverfault.com/questions/869585/kerberos-kdc-wont-start-invalid-credentials), but to no avail.

Here is the Bash script I am using for testing: https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=s...

Kind regards,

Travis Bean