My application needs to securely mount an Isilon share using CIFS and Kerberos. My mount attempt returns: Required key not available:
mount -t cifs //fileserver.example.com/client123/files
/mnt/client123/files -o username=acoder,password=XXXXXX,sec=krb5
Response:
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Here are corresponding entries from /var/log/messages
Sep 16 16:33:49 clientbox kernel: CIFS VFS: Send error in SessSetup = -126
Sep 16 16:33:49 clientbox kernel: CIFS VFS: cifs_mount failed w/return code = -126
Background & Config
I added a keytab using:
/usr/bin/ktutil
addent -password -p acoder#EXAMPLE.COM -k 1 -e rc4-hmac
addent -password -p acoder#EXAMPLE.COM -k 1 -e aes256-cts
wkt /etc/krb5.keytab
Checked with klist -kte:
[acoder#clientbox]# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 09/16/15 16:24:32 acoder#EXAMPLE.COM (arcfour-hmac)
1 09/16/15 16:25:46 acoder#EXAMPLE.COM (aes256-cts-hmac-sha1-96)
Here's request-key.conf:
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create user debug:* negate /bin/keyctl negate %k 30 %S
create user debug:loop:* * |/bin/cat
create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate * * * /bin/keyctl negate %k 30 %S
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
Ticket cache:
# klist | grep "Ticket cache:"
Ticket cache: FILE:/tmp/krb5cc_0
What could be causing the "Required key not available" error?
EDIT:
I enabled debugging in CIFS, and attempted to mount the share again. Here's that output:
fs/cifs/cifsfs.c: Devname: //fileserver.example.com/client123/files flags: 0
fs/cifs/connect.c: prefix path /files
fs/cifs/connect.c: Username: acoder
fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed
fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 8 with uid: 0
fs/cifs/connect.c: UNC: \\fileserver.example.com/client123/files ip: 1.2.3.4
fs/cifs/connect.c: Socket created
fs/cifs/connect.c: sndbuf 19800 rcvbuf 87380 rcvtimeo 0x1b58
fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 9 with uid: 0
fs/cifs/connect.c: Demultiplex PID: 22937
fs/cifs/connect.c: Existing smb sess not found
fs/cifs/cifssmb.c: secFlags 0x9
fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security
fs/cifs/transport.c: For smb_command 114
fs/cifs/transport.c: Sending smb: smb_len=78
fs/cifs/connect.c: RFC1002 header 0xbc
fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4
fs/cifs/cifssmb.c: Dialect: 2
fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
fs/cifs/asn1.c: OID len = 6 oid = 0x1 0x3 0x5 0x1
fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
fs/cifs/asn1.c: Need to call asn1_octets_decode() function for not_defined_in_RFC4178#please_ignore
fs/cifs/cifssmb.c: negprot rc 0
fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8000e2fc TimeAdjust: 0
fs/cifs/sess.c: sess setup type 4
fs/cifs/cifs_spnego.c: key description = ver=0x2;host=fileserver.example.com;ip4=1.2.3.4;sec=krb5;uid=0x0;creduid=0x0;user=acoder;pid=0xXXXXX
fs/cifs/sess.c: ssetup freeing small buf ffff8804359b02701
CIFS VFS: Send error in SessSetup = -126
fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 9) rc = -126
fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 8) rc = -126
CIFS VFS: cifs_mount failed w/return code = -126
"Required key not available" means that cifs.upcall — run by the kernel in response to the mount request — was not able to get a Kerberos ticket for the CIFS server and from that generate the key needed for authenticating to the server (it would go in the kernel keyring of the client thread). cifs.upcall logs to daemon.debug; check those messages first. Usually that’s /var/log/daemon, but you may need to adjust your syslog configuration to include debug-level messages. On my system these look like so:
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] key description: cifs.spnego;0;0;3f000000;ver=0x2;host=server.example.com;ip4=10.12.0.6;sec=krb5;uid=0x0;creduid=0x2cec;user=res;pid=0x1997
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] ver=2
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] host=server.example.com
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] ip=10.12.0.6
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] sec=1
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] uid=0
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] creduid=11500
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] user=res
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] pid=6551
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] find_krb5_cc: considering /tmp/krb5cc_5601
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] find_krb5_cc: /tmp/krb5cc_5601 is owned by 5601, not 11500
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] find_krb5_cc: considering /tmp/krb5cc_5702
...
Ordinarily you’d use a mount command like this:
$ sudo mount -t cifs -o user=acoder,cruid=acoder,sec=krb5 ...
The cruid parameter tells cifs.upcall on behalf of which account this mount is occurring. It will look for Kerberos credential caches (“ccaches”) owned by this account (/tmp/krb5cc_*) first, to see if that account is logged in and has current credentials (e.g. if it’s a person and they’ve done kinit); you can see this in action in the log above where it is “considering” various ccaches. If that fails, it tries to kinit with a keytab. Earlier versions just use the system default keytab, which means the client principal’s keys must go there (usually /etc/krb5.keytab). Later versions have a -K flag you can use to deploy per-user keytabs for this, obviously better on a multi-user system. Note that you don’t need the password in the mount command; the keytab provides that information.
A separate thing to check, is that the Kerberos configuration on the client allows getting a CIFS ticket for the server to succeed at all. E.g.:
$ kinit acoder#EXAMPLE.COM
... type your password
$ klist
... see your TGT
$ kvno cifs/fileserver.example.com#EXAMPLE.COM
$ klist
... see CIFS ticket
Anyway there are many variables; start with the cifs.upcall debug log and let’s go from there.
(Note that the first answer is confused and wrong; you should ignore it. There is no need to join the client host to the realm, and its host principal is irrelevant here.)
Assuming that you've posted the full content from your krb5.keytab, it seems to be missing the host's key. In order to get a successful authentication on behalf of a user, your server needs both a user and a service ticket. The easiest way would be to join the server to the domain through sssd/samba (which would fill up your keytab with , and then add the user to the same keytab.
Anyway, there are many ways to do that, but you must ensure that your keytab (or keytabs) have both keys, so that it can get both tickets.
Related
I´m trying to implement the TLS server feature available with pgBackRest to use a secure connection between the DB server and the repo server, replacing the previous SSH passwordless setup (that was working fine).
After following the online documentation, I´m having the following error when issuing the stanza-create command :
pgbackrest#pgb-repo$ pgbackrest --stanza=training --log-level-console=info stanza-create
2022-06-13 12:56:55.677 P00 INFO: stanza-create command begin 2.39: --buffer-size=16MB --exec-id=8994-62e5ecac --log-level-console=info --log-level-file=info --pg1-host=pg1-primary --pg1-host-ca-file=/etc/pgbackrest/cert/ca.crt --pg1-host-cert-file=/etc/pgbackrest/cert/pg1-primary.crt --pg1-host-key-file=/etc/pgbackrest/cert/pg1-primary.key --pg1-host-type=tls --pg1-host-user=postgres --pg1-path=/data/postgres/13/pg_data --repo1-path=/backup/pgbackrest --stanza=training
WARN: unable to check pg1: [HostConnectError] unable to connect to 'pg1-primary:8432': [113] No route to host
ERROR: [056]: unable to find primary cluster - cannot proceed
HINT: are all available clusters in recovery?
2022-06-13 12:58:55.835 P00 INFO: stanza-create command end: aborted with exception [056]
The PostgreSQL server is up and running on the the DB host:
[postgres#pg1-primary ~]$ psql -c "SELECT pg_is_in_recovery();"
pg_is_in_recovery
-------------------
f
(1 row)
Question
Why am I having this [113] No route to host error ?
Configuration for each server :
pg1-primary
[postgres#pg1-primary ~]$ cat /etc/pgbackrest/pgbackrest.conf
[global]
repo1-path=/backup/pgbackrest
repo1-host-ca-file=/etc/pgbackrest/cert/ca.crt
repo1-host-cert-file=/etc/pgbackrest/cert/pgb-repo.crt
repo1-host-key-file=/etc/pgbackrest/cert/pgb-repo.key
repo1-host-type=tls
tls-server-address=*
tls-server-auth=pgb-repo=training
tls-server-ca-file=/etc/pgbackrest/cert/ca.crt
tls-server-cert-file=/etc/pgbackrest/cert/pg1-primary.crt
tls-server-key-file=/etc/pgbackrest/cert/pg1-primary.key
[postgres#pg1-primary ~]$ cat /etc/pgbackrest/conf.d/training.conf
[training]
pg1-path=/data/postgres/13/pg_data
pg1-socket-path=/tmp
repo1-host=pgb-repo
repo1-host-user=pgbackrest
[postgres#pg1-primary ~]$ ll /etc/pgbackrest/cert/
total 20
-rw-------. 1 postgres postgres 1090 Jun 13 12:12 ca.crt
-rw-------. 1 postgres postgres 977 Jun 13 12:12 pg1-primary.crt
-rw-------. 1 postgres postgres 1708 Jun 13 12:12 pg1-primary.key
-rw-------. 1 postgres postgres 977 Jun 13 12:23 pgb-repo.crt
-rw-------. 1 postgres postgres 1704 Jun 13 12:23 pgb-repo.key
pgb-repo
pgbackrest#pgb-repo$ cat /etc/pgbackrest/pgbackrest.conf
[global]
repo1-path=/backup/pgbackrest
tls-server-address=*
tls-server-auth=pg1-primary=training
tls-server-ca-file=/etc/pgbackrest/cert/ca.crt
tls-server-cert-file=/etc/pgbackrest/cert/pgb-repo.crt
tls-server-key-file=/etc/pgbackrest/cert/pgb-repo.key
pgbackrest#pgb-repo$ cat /etc/pgbackrest/conf.d/training.conf
[training]
pg1-host=pg1-primary
pg1-host-user=postgres
pg1-path=/data/postgres/13/pg_data
pg1-host-ca-file=/etc/pgbackrest/cert/ca.crt
pg1-host-cert-file=/etc/pgbackrest/cert/pg1-primary.crt
pg1-host-key-file=/etc/pgbackrest/cert/pg1-primary.key
pg1-host-type=tls
pgbackrest#pgb-repo$ ll /etc/pgbackrest/cert/
total 20
-rw-------. 1 pgbackrest pgbackrest 1090 Jun 13 12:27 ca.crt
-rw-------. 1 pgbackrest pgbackrest 977 Jun 13 12:27 pg1-primary.crt
-rw-------. 1 pgbackrest pgbackrest 1708 Jun 13 12:27 pg1-primary.key
-rw-------. 1 pgbackrest pgbackrest 977 Jun 13 12:27 pgb-repo.crt
-rw-------. 1 pgbackrest pgbackrest 1704 Jun 13 12:27 pgb-repo.key
The servers are reachable from one another:
[postgres#pg1-primary ~]$ ping pgb-repo
PING pgb-repo.xxxx.com (XXX.XX.XXX.117) 56(84) bytes of data.
64 bytes from pgb-repo.xxxx.com (XXX.XX.XXX.117): icmp_seq=1 ttl=64 time=0.365 ms
64 bytes from pgb-repo.xxxx.com (XXX.XX.XXX.117): icmp_seq=2 ttl=64 time=0.421 ms
pgbackrest#pgb-repo$ ping pg1-primary
PING pg1-primary.xxxx.com (XXX.XX.XXX.116) 56(84) bytes of data.
64 bytes from pg1-primary.xxxx.com (XXX.XX.XXX.116): icmp_seq=1 ttl=64 time=0.325 ms
64 bytes from pg1-primary.xxxx.com (XXX.XX.XXX.116): icmp_seq=2 ttl=64 time=0.298 ms
So actually the issue had to do with the firewall preventing access to the default TLS port (8432) used by pgBackRest.
[root#pgb-server ~]# firewall-cmd --zone=public --add-port=8432/tcp --permanent
[root#pgb-server ~]# firewall-cmd --reload
Once the port was accessible through the firewall I could issue a telnet command successfully (for testing access) - and of course run my pgBackRest commands too.
[pgbackrest#pgb-server]$ telnet pg1-server 8432
Trying 172.XX.XXX.XXX...
Connected to pg1-server.
Escape character is '^]'.
On Linux using IBM MQ V9.2.0 I have seen the following error
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the location configured for the key repository,
(b) the key database file exists in the correct place but that no password stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is running does not have permission to read them,
(d) one or both of the files are corrupt.
I did all the things mentioned in IBM docs but I am not able to resolve.
The SSLKEYR value is /var/mqm/qmgrs/QMGRname/ssl/key
-rwxrwxr-x. 1 mqm mqm 80 Apr 21 14:31 key.rdb
-rwxrwxr-x. 1 mqm mqm 193 Apr 21 14:32 key.sth
-rwxrwxr-x. 1 mqm mqm 15K Apr 21 14:44 key.kdb
(mq:9.2.0.0)root#22955896bc26:/var/mqm/qmgrs/qmgr/ssl# runmqakm -cert -list -db /var/mqm/qmgrs/qmgr/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "mns non-prod root ca"
! "mns plc sub ca cate"
- ibmwebspheremqqmgr
(mq:9.2.0.0)root#22955896bc26:/var/mqm/qmgrs/qmgr/ssl# runmqakm -cert -list -db /var/mqm/qmgrs/qmgr/ssl/key.kdb -stashed
CTGSK3026W The key file "/var/mqm/qmgrs/qmgr/ssl/key.kdb" does not exist or cannot be read.
CTGSK2101W The key database does not exist.
-Command usage-
-list Required <all | personal | ca>
-db | -crypto Required
-tokenlabel Required if -crypto present
-pw | -stashed Optional
-type Optional <cms | kdb | pkcs12 | p12>
-secondarydb Optional if -crypto present
-secondarydbpw Optional if -secondarydb present
-secondarydbtype Optional if -secondarydb present
-expiry Optional
-rfc3339 Optional
-v Optional
$ runmqakm -cert -list -db /var/mqm/qmgrs/qmgr/ssl/key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "mns non-prod root ca"
! "mns plc sub ca cate"
- ibmwebspheremqqmgr
1 : DIS QMGR SSLKEYR CERTLABL
AMQ8408I: Display Queue Manager details.
QMNAME(qmgr) CERTLABL(ibmwebspheremqqmgr)
SSLKEYR(/VAR/MQM/QMGRS/qmgr/SSL/KEY)
1 : DIS QMGR SSLKEYR CERTLABL
AMQ8408I: Display Queue Manager details.
QMNAME(qmgr) CERTLABL(ibmwebspheremqqmgr)
SSLKEYR(/var/mqm/qmgrs/qmgr/ssl/key)
-rwxrwxr-x. 1 mqm mqm 15088 Apr 28 17:18 /var/mqm/qmgrs/AZMQGW02/ssl/key.kdb
-rwxrwxr-x. 1 mqm mqm 80 Apr 28 17:18 /var/mqm/qmgrs/AZMQGW02/ssl/key.rdb
-rwxrwxr-x. 1 mqm mqm 193 Apr 28 17:19 /var/mqm/qmgrs/AZMQGW02/ssl/key.sth
(mq:9.2.0.0)root#22955896bc26:/var/mqm/qmgrs/AZMQGW02/ssl# su - mqm
No directory, logging in with HOME=/
$ getfacl /var/mqm/qmgrs/AZMQGW02/ssl/key.*
-su: 1: getfacl: not found
Unix is case sensitive, /VAR/MQM/QMGRS/AZMQGW02/SSL/KEY is not the same as /var/mqm/qmgrs/AZMQGW02/ssl/key.
To fix the issue run the following:
printf "ALTER QMGR SSLKEYR('/var/mqm/qmgrs/AZMQGW02/ssl/key')\nREFRESH SECURITY TYPE(SSL)\n" | runmqsc AZMQGW02
Note that with MQSC commands if you do not surround a string with single quotes it will be folded to UPPER CASE.
I am trying to execute a bash script via a remote workstation via an apache server.
So I've installed Apache and I can execute test scripts just fine.
But what I'd like to do is to execute a script which is sending a key command (via xdotool) to the current X11 session that is running by the user "vfx".
Script "new.sh":
#!/usr/bin/env sh
export DISPLAY=:"0.0"
export XAUTHORITY=/home/vfx/.Xauthority
xdotool key s
When I try to run it on the remote workstation I always get the following: (from httpd error logs)
[Wed Nov 27 21:30:18.610990 2019] [cgi:error] [pid 2317] [client 192.168.0.194:36750] AH01215: Error: Can't open display: (null)
[Wed Nov 27 21:30:18.611051 2019] [cgi:error] [pid 2317] [client 192.168.0.194:36750] AH01215: Failed creating new xdo instance
[Wed Nov 27 21:30:18.611429 2019] [cgi:error] [pid 2317] [client 192.168.0.194:36750] End of script output before headers: new.sh
I am using Gnome classic.
Connecting via ssh using "export DISPLAY=:"0.0"" and "xdotool key s" is working.
I've already tried the following:
Edit visudo:
apache ALL=(vfx) NOPASSWD: /var/wwww/cgi-bin/new.sh
apache ALL=(vfx) NOPASSWD: /home/vfx/
xhost +
Firewall changes:
# firewall-cmd --zone=public --add-port=6000/tcp
# firewall-cmd --permanent --zone=public --add-port=6000/tcp
# firewall-cmd --zone=public --add-port=177/udp
Edited: /etc/gdm/custom.conf:
# GDM configuration storage
[daemon]
[security]
DisallowTCP=false
[xdmcp]
ServerArguments=-listen tcp
Enable=true
[chooser]
[debug]
# Uncomment the line below to turn on debugging
#Enable=true
Edited: /etc/ssh/sshd_config
x11 forwarding yes
Any help would be greatly appreciated
I am trying to create a service file that will allow me to automatically startup my Oracle 12C database and listener automatically on reboot. I have written the service file which contains the following:
# /etc/systemd/system/oracle-rdbms.service
# Invoking Oracle scripts to start/shutdown Instances defined in /etc/oratab
# and starts Listener
[Unit]
Description=Oracle Database(s) and Listener
Requires=network.target
[Service]
Type=forking
Restart=no
ExecStart=/u01/app/oracle/product/12.2.0/dbhome_1/bin/dbstart /u01/app/oracle/product/12.2.0/dbhome_1/
ExecStop=/u01/app/oracle/product/12.2.0/dbhome_1/bin/dbshut /u01/app/oracle/product/12.2.0/dbhome_1/
User=oracle
[Install]
WantedBy=multi-user.target
When I enabled the service and checked the status, I get the following error:
● oracle-rdbms.service - Oracle Database(s) and Listener
Loaded: loaded (/etc/systemd/system/oracle-rdbms.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Mon 2018-10-22 11:45:02 EDT; 1 day 23h ago
Process: 1377 ExecStop=/u01/app/oracle/product/12.2.0/dbhome_1/bin/dbshut /u01/app/oracle/product/12.2.0/dbhome_1 (code=exited, status=0/SUCCESS)
Process: 615 ExecStart=/u01/app/oracle/product/12.2.0/dbhome_1/bin/dbstart /u01/app/oracle/product/12.2.0/dbhome_1 (code=exited, status=0/SUCCESS)
Oct 22 11:45:00 oracle-dev dbstart[615]: /u01/app/oracle/product/12.2.0/dbhome_1/bin/dbstart: line 94: /u01/app/oracle/product/12.2.0/dbhome_1/listener.log: Permission denied
Oct 22 11:45:02 oracle-dev dbstart[615]: touch: cannot touch ‘/u01/app/oracle/product/12.2.0/dbhome_1/startup.log’: Permission denied
Oct 22 11:45:02 oracle-dev dbstart[615]: chmod: changing permissions of ‘/u01/app/oracle/product/12.2.0/dbhome_1/startup.log’: Operation not permitted
Oct 22 11:45:02 oracle-dev dbstart[615]: Processing Database instance "orcl": log file /u01/app/oracle/product/12.2.0/dbhome_1/startup.log
Oct 22 11:45:02 oracle-dev dbstart[615]: /u01/app/oracle/product/12.2.0/dbhome_1/bin/dbstart: line 346: /u01/app/oracle/product/12.2.0/dbhome_1/startup.log: Permission denied
Oct 22 11:45:02 oracle-dev dbshut[1377]: /u01/app/oracle/product/12.2.0/dbhome_1/bin/dbshut: line 63: /u01/app/oracle/product/12.2.0/dbhome_1/listener.log: Permission denied
Oct 22 11:45:02 oracle-dev dbshut[1377]: /u01/app/oracle/product/12.2.0/dbhome_1/bin/dbshut: line 64: /u01/app/oracle/product/12.2.0/dbhome_1/listener.log: Permission denied
Oct 22 11:45:02 oracle-dev dbshut[1377]: Processing Database instance "orcl": log file /u01/app/oracle/product/12.2.0/dbhome_1/shutdown.log
Oct 22 11:45:02 oracle-dev dbshut[1377]: /u01/app/oracle/product/12.2.0/dbhome_1/bin/dbshut: line 160: /u01/app/oracle/product/12.2.0/dbhome_1/shutdown.log: Permission denied
Oct 22 11:45:02 oracle-dev systemd[1]: Started Oracle Database(s) and Listener.
I am logged in as root and am still not sure what the problem is. Thank you
Your startup.log and listerner.log don't have the correct permissions set up. Use the chmod command on those two files to the appropriate permissions and it should work
running fedora 27 here. I'm attempting to run slapd from a fresh openldap install. When I try and run with systemctl start openldap, the daemon fails to start. journalctl gives the following output:
Jun 19 00:30:25 slapd[1325]: #(#) $OpenLDAP: slapd 2.4.45 (Dec 6 2017 14:25:36) $
mockbuild#buildhw-08.phx2.fedoraproject.org:/builddir/build/BUILD/openldap-2.4.45/openldap-2.4.45/servers/slapd
Jun 19 00:30:25 slapd[1326]: mdb_db_open: database "dc=my-domain,dc=com" cannot be opened: Permission denied (13). Restore from backup!
Jun 19 00:30:25 slapd[1326]: backend_startup_one (type=mdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (13)
Jun 19 00:30:25 slapd[1326]: slapd stopped.
Jun 19 00:30:25 audit[1326]: AVC avc: denied { map } for pid=1326 comm="slapd" path="/var/lib/ldap/lock.mdb" dev="xvda1" ino=1716389 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=0
However, if I run the daemon directly with /usr/sbin/slapd -u ldap -d -1 -h "ldap:/// ldaps:/// ldapi:///", the daemon starts with no issue.
My systemctl script is below:
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
[Install]
WantedBy=multi-user.target
Alias=openldap.service
I've checked permissions on the ldap config directory and db directory and they seem correct for the ldap user:
[root#localhost operations]# ll /etc/openldap/slapd.d/cn\=config
total 24
drwxr-x---. 2 ldap ldap 4096 Jun 15 23:00 'cn=schema'
-rw-------. 1 ldap ldap 378 Jun 15 23:00 'cn=schema.ldif'
-rw-------. 1 ldap ldap 513 Jun 15 23:00 'olcDatabase={0}config.ldif'
-rw-------. 1 ldap ldap 412 Jun 15 23:00 'olcDatabase={-1}frontend.ldif'
-rw-------. 1 ldap ldap 562 Jun 15 23:00 'olcDatabase={1}monitor.ldif'
-rw-------. 1 ldap ldap 609 Jun 15 23:00 'olcDatabase={2}mdb.ldif'
[root#localhost operations]# ll /var/lib/| grep ldap
drwx------. 2 ldap ldap 4096 Jun 19 00:30 ldap
[root#localhost operations]# ll /var/lib/ldap/
total 0
-rw-------. 1 ldap ldap 8192 Jun 19 00:30 lock.mdb
Any advice would be much appreciated.
It seems you're using back-mdb. Good.
Does your DB directory /var/lib/ldap/ really contain only file lock.mdb?
There should also be a bigger file called data.mdb with the actual data.