[Freeipa-users] Unable to start the krb5kdc
Simo Sorce
ssorce at redhat.com
Tue Jan 25 21:51:27 UTC 2011
On Tue, 25 Jan 2011 15:58:35 -0500
James Roman <james.roman at ssaihq.com> wrote:
> On 1/25/11 2:44 PM, Simo Sorce wrote:
> > On Tue, 25 Jan 2011 14:33:14 -0500
> > James Roman<james.roman at ssaihq.com> wrote:
> >
> >> On 01/25/2011 12:42 PM, Simo Sorce wrote:
> >>> On Tue, 25 Jan 2011 12:04:25 -0500
> >>> James Roman<james.roman at ssaihq.com> wrote:
> >>>
> >>>> I noticed today that one of our FreeIPA 1.2.2 servers has stopped
> >>>> issuing tickets. When I attempt to restart all the IPA services
> >>>> the krb5kdc service failed to restart with the following error:
> >>>>
> >>>> krb5kdc: Unable to access Kerberos database - while initializing
> >>>> database for realm DOMAIN.COM
> >>>>
> >>>> I don't see any issues with the local LDAP database, or the kdc
> >>>> account in the LDAP database. I suspect the problem is with the
> >>>> ticket granting ticket on the problem server, but am unsure how
> >>>> to go about validating this assertion. I have not tried to
> >>>> restart the ipa services on the working server for fera that it
> >>>> might stop working.
> >>> Do you see errors in /var/log/krb5kdc.log ?
> >>>
> >>> Simo.
> >>>
> >> The error above is the only one that repeats in the krb5kdc.log
> >> when I attempt to restart the krb5kdc service. The actual error
> >> that is shown in standard out is:
> >>
> >> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm
> >> DOMAIN.COM
> >> - see log file for details
> > Ok can you check the dirsrv logs and see if the KDC is actually
> > trying (and perhaps getting auth refused) at all ?
> >
> > /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC
> > attempts to access the LDAP server and bind as the uid=kdc.....
> > user.
> >
> > Simo.
> >
> Looks like an authentication failure:
>
> [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND
> dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128
> version=3 [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49
> tag=97 nentries=0 etime=0
> [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1
>
> The ldappwd file on both systems look identical. I don't think that
> the SSL certificate comes into the equation, but I have no way of
> knowing whether it initiates TLS or not.
No in ipa 1.2.x the kdc is configured to use ldap://127.0.0.1 with no
auth.
I wonder if your local DS is having problems.
Can you change krb5.conf to point to the other server (maybe using
ldaps:// so as to not expose the password in the clear) and see if the
krb5kdc will start that way ?
Don't use this in production, just as a test to identify where the
problem lies.
if it turns out it is the local DS that is having issues, then we can
try to force sync it again.
Ah btw, on what distribution version is this? what 389-ds base version
are you using ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list