[Freeipa-users] Unable to start the krb5kdc
James Roman
james.roman at ssaihq.com
Fri Jan 28 14:20:37 UTC 2011
On 1/28/11 8:28 AM, Simo Sorce wrote:
> On Thu, 27 Jan 2011 19:20:02 -0500
> James Roman<james.roman at ssaihq.com> wrote:
>
>> On 1/27/11 12:58 PM, Simo Sorce wrote:
>>> On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
>>>> So it looks like the replication password issue was a red herring
>>>> as far as the kerberos is concerned. I issued the command
>>>> "ipa-replica-manage synch ipaserver1.domain.com" from the working
>>>> ldap replica and no longer get password expiration errors in the
>>>> error logs. However, I still can not get the krb5kdc process on
>>>> ipaserver1 to start when it uses the local (ldap://127.0.0.1/)
>>>> LDAP database. If I perform an LDAP search of the kdc account
>>>> using the Directory Manager account, both kdc entries are
>>>> identical, so it does not seem to be the password for the KDC
>>>> account that is preventing the krb5kdc service from starting.
>>>> Could it be the service or host principals? Should I init from
>>>> ipaserver2 -> ipaserver1 (Note: ipaserver1 is the winsync server)?
>>>>
>>>> ipaserver1:
>>>> FC 11
>>>> ipa-server-1.2.2-2.fc11.i586
>>>>
>>>> ipaserver2:
>>>> FC10
>>>> ipa-server-1.2.2-1.fc10.i386
>>> I am surprised you get back INVALID CREDENTIALS as an error when
>>> the KDC tries to log in using the data in ldappwd, given it works
>>> against the other server ...
>>>
>>> If you search with directory manager the accounts on both servers,
>>> do you get back an identical userPassword field ?
>>>
>>> Simo.
>>>
>> Yes, when I check the passwords are also identical.
> Odd.
> Have you ever played with DS password policies by chance ?
>
> Can you search explicitly for the paswwordExpirationTime on both
> uid=kdc accounts and see if it set by chance ?
> You need to search explicitly for the attribute as it is not returned
> by default.
>
> Simo.
>
OK. Now I feel like an idiot. I swear that was the first thing I
checked. It seems the password policy on this server was set at the
base, instead of cn=users. We have a script that reports on expiring
accounts in the cn=accounts branch, but not under cn=etc. I now know
what to fix. Thanks.
More information about the Freeipa-users
mailing list