[Freeipa-users] IPA down hard. Kerberos?

Bret Wortman bret.wortman at damascusgrp.com
Mon May 19 13:01:07 UTC 2014 

Yep, it was that [dbmodules] section that bit us. Thanks!

On 05/19/2014 08:58 AM, Szymon Jazy wrote:
> sth like:
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = DOMAIN
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>
> [realms]
>  DOMAIN = {
>   kdc = ipa1.foo.net:88 <http://ipa1.foo.net:88>
>   master_kdc = ipa1.foo.net:88 <http://ipa1.foo.net:88>
>   admin_server = ipa1.foo.net:749 <http://ipa1.foo.net:749>
>   default_domain = domain
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
>  .domain = DOMAIN
>  domain = DOMAIN
>
> [dbmodules]
>   DOMAIN = {
>     db_library = ipadb.so
>   }
>
>
> Szymon
>
> 2014-05-19 14:52 GMT+02:00 Bret Wortman <bret.wortman at damascusgrp.com 
> <mailto:bret.wortman at damascusgrp.com>>:
>
>     Okay, it looks like our /etc/krb5.conf file got overwritten by an
>     overeager Puppet module that shouldn't have affected an IPA server
>     but did.
>
>     Can someone provide some guidance as to what this file is supposed
>     to look like on an IPA server named "ipa1.foo.net
>     <http://ipa1.foo.net>" since ours is obviously completely wrong
>     and I don't have an unadulterated server to look at for
>     comparison? Thanks.
>
>
>     Bret
>
>     On 05/19/2014 06:51 AM, Bret Wortman wrote:
>>     Happy Monday to me -- I came in this morning to find all 3 of my
>>     IPA replicas are down. When I tried to start one of them, I got this:
>>
>>     [root at ipa1 ~]# ipactl start
>>     Existing service file detected!
>>     Assuming stale, cleaning and proceeding
>>     Starting Directory Service
>>     Starting krb5kdc Service
>>     Job for krb5kdc.service failed. See 'systemctl status
>>     krb5kdc.service' and 'journalctl -xn' for details.
>>     Failed to start krb5kdc Service
>>     Shutting down
>>     Aborting ipactl
>>     [root at ipa1 ~]# systemctl status krb5kdc.service
>>     krb5kdc.service - Kerberos 5 KDC
>>        Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled)
>>        Active: failed (Result: exit-code) since Mon 2014-05-19
>>     06:46:24 EDT; 51s ago
>>       Process: 1835 ExecStart=/usr/sbin/krb5kdc -P
>>     /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>>
>>     May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     krb5kdc.service: control process exited, code=exited status=1
>>     May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Failed to start Kerberos 5 KDC.
>>     May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Unit krb5kdc.service entered failed state.
>>     May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Stopped Kerberos 5 KDC.
>>     [root at ipa1 ~]# journalctl -xn
>>     -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon
>>     2014-05-19 06:47:03 EDT. --
>>     May 19 06:46:42 ipa1.foo.net <http://ipa1.foo.net>
>>     ntpd_intres[526]: host name not found: 2.fedora.pool.ntp.org
>>     <http://2.fedora.pool.ntp.org>
>>     May 19 06:46:58 ipa1.foo.net <http://ipa1.foo.net> sshd[1855]:
>>     error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
>>     returned status 1
>>     May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> sshd[1855]:
>>     Accepted password for root from 192.168.2.13 port 42299 ssh2
>>     May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Starting Session 5 of user root.
>>     -- Subject: Unit session-5.scope has begun with start-up
>>     -- Defined-By: systemd
>>     -- Support:
>>     http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>>     -- 
>>     -- Unit session-5.scope has begun starting up.
>>     May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net>
>>     systemd-logind[495]: New session 5 of user root.
>>     -- Subject: A new session 5 has been created for user root
>>     -- Defined-By: systemd
>>     -- Support:
>>     http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>>     -- Documentation:
>>     http://www.freedesktop.org/wiki/Software/systemd/multiseat
>>     -- 
>>     -- A new session with the ID 5 has been created for the user root.
>>     -- 
>>     -- The leading process of the session is 1855.
>>     May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Started Session 5 of user root.
>>     -- Subject: Unit session-5.scope has finished start-up
>>     -- Defined-By: systemd
>>     -- Support:
>>     http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>>     -- 
>>     -- Unit session-5.scope has finished starting up.
>>     -- 
>>     -- The start-up result is done.
>>     May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> sshd[1855]:
>>     pam_unix(sshd:session): session opened for user root by (uid=0)
>>     May 19 06:47:03 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Stopped 389 Directory Server WEDGEOFLI-ME..
>>     -- Subject: Unit dirsrv at WEDGEOFLI-ME.service
>>     <mailto:dirsrv at WEDGEOFLI-ME.service> has finished shutting down
>>     -- Defined-By: systemd
>>     -- Support:
>>     http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>>     -- 
>>     -- Unit dirsrv at WEDGEOFLI-ME.service
>>     <mailto:dirsrv at WEDGEOFLI-ME.service> has finished shutting down.
>>     May 19 06:47:03 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Stopping 389 Directory Server.
>>     -- Subject: Unit dirsrv.target has begun shutting down
>>     -- Defined-By: systemd
>>     -- Support:
>>     http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>>     -- 
>>     -- Unit dirsrv.target has begun shutting down.
>>     May 19 06:47:03 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>>     Stopped target 389 Directory Server.
>>     -- Subject: Unit dirsrv.target has finished shutting down
>>     -- Defined-By: systemd
>>     -- Support:
>>     http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>>     -- 
>>     -- Unit dirsrv.target has finished shutting down.
>>     [root at ipa1 ~]#
>>
>>     Any thoughts on where to look next? There's nothing at all logged
>>     in /var/log/krb5kdc.log when I try to start it up, and there are
>>     so many pieces to this that I'm not sure where to focus my efforts.
>>
>>     Thanks!
>>
>>
>>     -- 
>>     *Bret Wortman*
>>
>>     http://damascusgrp.com/
>>     http://about.me/wortmanbret
>>
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/422c445b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/422c445b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/422c445b/attachment.p7s>

More information about the Freeipa-users mailing list