[Freeipa-users] /var/kerberos/krb5kdc/principal missing

Patrick Hemmer freeipa at stormcloud9.net
Tue Apr 8 17:40:01 UTC 2014 

This is what the non-functional version looked like:
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CLOUD.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 CLIFF.CLOUDBURRITO.COM = {
  kdc = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:88
  master_kdc = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:88
  admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749
  default_domain = cliff.cloudburrito.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

 CLOUD.COM = {
  kdc = i-6775b715.ipa-server.us-east-1.cloud.com
  kdc = i-32e87151.ipa-server.us-east-1.cloud.com
  admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749
 }

[domain_realm]
 .cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM
 cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM

 cloud.com = CLOUD.COM
 .cloud.com = CLOUD.COM
[dbmodules]
  CLIFF.CLOUDBURRITO.COM = {
    db_library = ipadb.so
  }

This is what I did to fix it:
--- /etc/krb5.conf.orig    2014-04-08 12:33:01.376525373 -0400
+++ /etc/krb5.conf    2014-04-08 12:33:33.214975855 -0400
@@ -6,7 +6,7 @@
  admin_server = FILE:/var/log/kadmind.log
 
 [libdefaults]
- default_realm = CLOUD.COM
+ default_realm = CLIFF.CLOUDBURRITO.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
@@ -22,18 +22,10 @@
   pkinit_anchors = FILE:/etc/ipa/ca.crt
 }
 
- CLOUD.COM = {
-  kdc = i-6775b715.ipa-server.us-east-1.cloud.com
-  kdc = i-32e87151.ipa-server.us-east-1.cloud.com
-  admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749
- }
-
 [domain_realm]
  .cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM
  cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM
 
- cloud.com = CLOUD.COM
- .cloud.com = CLOUD.COM
 [dbmodules]
   CLIFF.CLOUDBURRITO.COM = {
     db_library = ipadb.so

-Patrick

------------------------------------------------------------------------
*From: *Rob Crittenden <rcritten at redhat.com>
*Sent: * 2014-04-08 13:33:53 E
*To: *Patrick Hemmer <freeipa at stormcloud9.net>, freeipa-users at redhat.com
*Subject: *Re: [Freeipa-users] /var/kerberos/krb5kdc/principal missing

> Patrick Hemmer wrote:
>> Figured it out.
>> Somehow during the upgrade process, the default_realm changed to one of
>> our other domains we use. I'm guessing some RPM postinstall script
>> pulled the domain out of sssd.conf as that's the only place on the box
>> where that domain is mentioned. We don't touch krb5.conf with any sort
>> of configuration management utility.
>>
>> Anyway, after removing the domain from the krb5.conf and restoring the
>> original settings, ipa started up normally.
>
> That's really strange.. I wonder if authconfig is doing something.
> What exactly did the file look like? We do try to update it to fix the
> dbmodules line but we already know the realm and domain from
> /etc/ipa/default.conf.
>
> rob
>
>>
>> -Patrick
>>
>>
>> ------------------------------------------------------------------------
>> *From: *Patrick Hemmer <freeipa at stormcloud9.net>
>> *Sent: * 2014-04-08 11:52:34 E
>> *To: *freeipa-users at redhat.com
>> *Subject: *[Freeipa-users] /var/kerberos/krb5kdc/principal missing
>>
>>> I'm having the exact same issue as
>>> http://www.redhat.com/archives/freeipa-users/2013-October/msg00009.html
>>> I upgraded from RHEL-6.3 to RHEL-6.5, and now FreeIPA won't start due
>>> to kadmind not starting.
>>>
>>> The kadmind.log contains an extremely unhelpful:
>>> Apr 08 11:31:20 i-31f62969 kadmind[20850](Error): No such file or
>>> directory while initializing, aborting
>>>
>>> Stracing `/usr/sbin/kadmind -P /var/run/kadmind.pid` results in:
>>> open("/var/kerberos/krb5kdc/principal", O_RDONLY) = -1 ENOENT (No such
>>> file or directory)
>>> gettimeofday({1396971844, 51536}, NULL) = 0
>>> open("/etc/localtime", O_RDONLY)        = 4
>>> fstat(4, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
>>> fstat(4, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>>> 0) = 0x7f25440dd000
>>> read(4,
>>> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"...,
>>> 4096) = 3519
>>> lseek(4, -2252, SEEK_CUR)               = 1267
>>> read(4,
>>> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"...,
>>> 4096) = 2252
>>> close(4)                                = 0
>>> munmap(0x7f25440dd000, 4096)            = 0
>>> write(3, "Apr 08 11:44:04 i-31f62969 kadmi"..., 105) = 105
>>> write(2, "kadmind: No such file or directo"..., 64kadmind: No such
>>> file or directory while initializing, aborting) = 64
>>> close(3)                                = 0
>>> munmap(0x7f25440df000, 4096)            = 0
>>> exit_group(1)                           = ?
>>>
>>> As requested in the linked thread, the dbmodules section looks like
>>> this:
>>> [dbmodules]
>>>   CLIFF.CLOUDBURRITO.COM = {
>>>     db_library = ipadb.so
>>>   }
>>>
>>> Another important item of note, I have another IPA server which has
>>> not been upgraded from 6.3 yet, and the file is missing there too, but
>>> kadmind is currently running just fine...
>>>
>>> Ideas?
>>>
>>> -Patrick
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140408/0cfa8fbd/attachment.htm>

More information about the Freeipa-users mailing list