[Freeipa-users] What happened to my {cacert,kdc}.pem files?

Rob Crittenden rcritten at redhat.com
Tue Jul 9 15:31:11 UTC 2013 

Brian Vetter wrote:
> We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of  various forms of the following messages when trying to start the ipa, named, and other services:

What do you mean by move it? Physically move a machine or did you try to 
move the configuration?

rob


> "Failed to init credentials (Cannot contact any KDC for realm ..."
> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
> "startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
> "krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials"
>
>>From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular,
>
> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>
> If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) "yum reinstall freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to fix this. They didn't. Still get the same errors.
>
> Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server?
>
> Thanks for any suggestions/guidance,
>
> Brian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list