directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Rutchik (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRSERVER-2286) Apacheds service will not start if kerberos is enable
Date Mon, 28 Oct 2019 16:42:00 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-2286?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16961232#comment-16961232
] 

Tom Rutchik edited comment on DIRSERVER-2286 at 10/28/19 4:41 PM:
------------------------------------------------------------------

I looked at org.apache.directory.kerberos.client.KdcConfig  and I see that kdcPort default
value is port 88 and the password port is 464 which is contrary to the Directory Service default
recommendation of 60088 and 60464.  I'm looking to see if the values get overridden based
on the values set in the Directory Service.  So far, I've not found any code where that's
done.


was (Author: tom@phinneyridge.com):
I looked and org.apache.directory.kerberos.client.KdcConfig  nand I see that kdcPort idefault
value is port 88 and the password port is 464 which is contrary to the Directory Service default
recommendation of 60088 and 60464.  I'm looking to see if the values get overridden based
on the values set in the Directory Service.  So far, I've not found any code where that's
done.

> Apacheds service will not start if kerberos is enable
> -----------------------------------------------------
>
>                 Key: DIRSERVER-2286
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2286
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 2.0.0.AM25
>         Environment: Linux Mint 19.2
> apacheds-2.0.0.AM25
>            Reporter: Tom Rutchik
>            Priority: Major
>         Attachments: apacheds.log, apacheds.service, config.ldif, wrapper.log
>
>
> Apacheds service will not startup if kerberos is enabled.  I've configured the service
to run under the linux user account "apacheds".  Since it's not running under root, the LAPD
service is configured to use port 10389 and the LDAPS service is configured to use port 10636;
similarly the Kerberos server is configured to use port 60088 and the Change Password Kerberos
server is configured to use port 60464.
> I've attached the /lib/systemd/system/apacheds.service description file, but here's what
it contains:
> [Service]
> Type=forking
> User=apacheds
> Group=apacheds
> EnvironmentFile=/etc/default/apacheds
> ExecStart=/bin/sh -c "exec /opt/apacheds-2.0.0.AM25/bin/apacheds start default"
> PrivateTmp=true
>  
> If you look at either the apacheds.log or wrapper.log you'll see the error says:
> java.io.IOException: Error while binding on /0.0.0.0:88
> original message : Permission denied
> So that should be pretty obvious as to what's wrong.  It says that I trying to bind
to port 88 instead port 60088 which is the port that using for the Kerberos Server.
> If I check the status of the Kerberos sever, here's what it says:
> tom@Phinney:~$ systemctl status krb5-kdc
> ● krb5-kdc.service - Kerberos 5 Key Distribution Center
>  Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
>  Active: active (running) since Fri 2019-10-25 10:13:21 PDT; 57min ago
>  Process: 1142 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited,
status=0/SUCCESS)
>  Main PID: 1154 (krb5kdc)
>  Tasks: 1 (limit: 4915)
>  CGroup: /system.slice/krb5-kdc.service
>  └─1154 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting pktinfo on socket ::.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address 0.0.0.0.10750
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address ::.10750
> Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(14,IPV6_V6ONLY,1) worked
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address 0.0.0.0.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: Setting up TCP socket for address ::.60088
> Oct 25 10:13:21 Phinney krb5kdc[1142]: setsockopt(16,IPV6_V6ONLY,1) worked
> Oct 25 10:13:21 Phinney krb5kdc[1142]: set up 8 sockets
> Oct 25 10:13:21 Phinney krb5kdc[1154]: commencing operation
> Oct 25 10:13:21 Phinney systemd[1]: Started Kerberos 5 Key Distribution Center.
> It seems to me, that the Kerberos started up and is using the ports that I told it to
use. I'm not sure what port 10750 is being used for, but I believe that Kerberos uses that
port internally.  This only other thing I'm not sure or is what the setsockopt message with
IPV6_ONLY is trying to tell me.  (Does that mean I don't have an IPV4 connection to Kerberos? 
If that's the case, it certainly might explain what's going on; but I don't see any configuration
parameter related to Kerberos that restricts me to IPV6 only)
> So how I interpret what I'm seeing is that the apacheds service is failing to start since
it doesn't have the permission to bind to port 88.  That is correct since my user account
"apacheds" is not a sudo user. By why is the LAPD server trying to use port 88 instead of
port 60088 as it's configured. I've looked all around to see if I can find a reference to
port 88, and all I find is 60088.
> If I disable the Kerberos server from the ApacheDS service , the LAPD service starts
up fine.
> My suspicion is the the LADP service is  hard wired to on try to bind to port 88, regardless
of configuration.
> Here's one more interesting thing.  The documentation you see now is the service starting
up as a system daemon.  So what errors do I get if I now manually try to start the apacheds
service.  This time, kerberos service is already running, will that make a difference? 
From a shell, I execute:
>  /opt/apacheds-2.0.0.AM25/bin/apacheds start default
> Password: 
> Starting ApacheDS - default...
> The result is that I still connect to the ladp service, and both apache.log and wrapper.log
shows the same result:
> java.io.IOException: Error while binding on /0.0.0.0:88
> original message : Permission denied
> If I then do:
> netstat -tulpn
> I see that there is a LISTENer for all my configured kerberos ports, but no listener
for the ldap service port.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message