[Freeipa-users] Unable to start the krb5kdc

Rich Megginson rmeggins at redhat.com
Tue Jan 25 21:44:06 UTC 2011 

On 01/25/2011 01:58 PM, James Roman wrote:
> On 1/25/11 2:44 PM, Simo Sorce wrote:
>> On Tue, 25 Jan 2011 14:33:14 -0500
>> James Roman<james.roman at ssaihq.com>  wrote:
>>
>>> On 01/25/2011 12:42 PM, Simo Sorce wrote:
>>>> On Tue, 25 Jan 2011 12:04:25 -0500
>>>> James Roman<james.roman at ssaihq.com>   wrote:
>>>>
>>>>> I noticed today that one of our FreeIPA 1.2.2 servers has stopped
>>>>> issuing tickets. When I attempt to restart all the IPA services the
>>>>> krb5kdc service failed to restart with the following error:
>>>>>
>>>>> krb5kdc: Unable to access Kerberos database - while initializing
>>>>> database for realm DOMAIN.COM
>>>>>
>>>>> I don't see any issues with the local LDAP database, or the kdc
>>>>> account in the LDAP database. I suspect the problem is with the
>>>>> ticket granting ticket on the problem server, but am unsure how to
>>>>> go about validating this assertion. I have not tried to restart
>>>>> the ipa services on the working server for fera that it might stop
>>>>> working.
>>>> Do you see errors in /var/log/krb5kdc.log ?
>>>>
>>>> Simo.
>>>>
>>> The error above is the only one that repeats in the krb5kdc.log when
>>> I attempt to restart the krb5kdc service. The actual error that is
>>> shown in standard out is:
>>>
>>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM
>>> - see log file for details
>> Ok can you check the dirsrv logs and see if the KDC is actually trying
>> (and perhaps getting auth refused) at all ?
>>
>> /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts
>> to access the LDAP server and bind as the uid=kdc..... user.
>>
>> Simo.
>>
> Looks like an authentication failure:
>
> [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND 
> dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128 version=3
> [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 tag=97 
> nentries=0 etime=0
> [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1
>
> The ldappwd file on both systems look identical. I don't think that 
> the SSL certificate comes into the equation, but I have no way of 
> knowing whether it initiates TLS or not.
You can tell if the connection is using TLS/SSL because when the 
connection is opened you should see a log line that says what cipher 
suite is being used
You can tell if client cert auth is being used because there will be a 
line for that too.
Look for conn=391 lines before this one
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list