[Freeipa-users] IPA down hard. Kerberos?
Bret Wortman
bret.wortman at damascusgrp.com
Mon May 19 13:01:07 UTC 2014
Yep, it was that [dbmodules] section that bit us. Thanks!
On 05/19/2014 08:58 AM, Szymon Jazy wrote:
> sth like:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> DOMAIN = {
> kdc = ipa1.foo.net:88 <http://ipa1.foo.net:88>
> master_kdc = ipa1.foo.net:88 <http://ipa1.foo.net:88>
> admin_server = ipa1.foo.net:749 <http://ipa1.foo.net:749>
> default_domain = domain
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .domain = DOMAIN
> domain = DOMAIN
>
> [dbmodules]
> DOMAIN = {
> db_library = ipadb.so
> }
>
>
> Szymon
>
> 2014-05-19 14:52 GMT+02:00 Bret Wortman <bret.wortman at damascusgrp.com
> <mailto:bret.wortman at damascusgrp.com>>:
>
> Okay, it looks like our /etc/krb5.conf file got overwritten by an
> overeager Puppet module that shouldn't have affected an IPA server
> but did.
>
> Can someone provide some guidance as to what this file is supposed
> to look like on an IPA server named "ipa1.foo.net
> <http://ipa1.foo.net>" since ours is obviously completely wrong
> and I don't have an unadulterated server to look at for
> comparison? Thanks.
>
>
> Bret
>
> On 05/19/2014 06:51 AM, Bret Wortman wrote:
>> Happy Monday to me -- I came in this morning to find all 3 of my
>> IPA replicas are down. When I tried to start one of them, I got this:
>>
>> [root at ipa1 ~]# ipactl start
>> Existing service file detected!
>> Assuming stale, cleaning and proceeding
>> Starting Directory Service
>> Starting krb5kdc Service
>> Job for krb5kdc.service failed. See 'systemctl status
>> krb5kdc.service' and 'journalctl -xn' for details.
>> Failed to start krb5kdc Service
>> Shutting down
>> Aborting ipactl
>> [root at ipa1 ~]# systemctl status krb5kdc.service
>> krb5kdc.service - Kerberos 5 KDC
>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled)
>> Active: failed (Result: exit-code) since Mon 2014-05-19
>> 06:46:24 EDT; 51s ago
>> Process: 1835 ExecStart=/usr/sbin/krb5kdc -P
>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>>
>> May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> krb5kdc.service: control process exited, code=exited status=1
>> May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Failed to start Kerberos 5 KDC.
>> May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Unit krb5kdc.service entered failed state.
>> May 19 06:46:24 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Stopped Kerberos 5 KDC.
>> [root at ipa1 ~]# journalctl -xn
>> -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon
>> 2014-05-19 06:47:03 EDT. --
>> May 19 06:46:42 ipa1.foo.net <http://ipa1.foo.net>
>> ntpd_intres[526]: host name not found: 2.fedora.pool.ntp.org
>> <http://2.fedora.pool.ntp.org>
>> May 19 06:46:58 ipa1.foo.net <http://ipa1.foo.net> sshd[1855]:
>> error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
>> returned status 1
>> May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> sshd[1855]:
>> Accepted password for root from 192.168.2.13 port 42299 ssh2
>> May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Starting Session 5 of user root.
>> -- Subject: Unit session-5.scope has begun with start-up
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit session-5.scope has begun starting up.
>> May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net>
>> systemd-logind[495]: New session 5 of user root.
>> -- Subject: A new session 5 has been created for user root
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> -- Documentation:
>> http://www.freedesktop.org/wiki/Software/systemd/multiseat
>> --
>> -- A new session with the ID 5 has been created for the user root.
>> --
>> -- The leading process of the session is 1855.
>> May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Started Session 5 of user root.
>> -- Subject: Unit session-5.scope has finished start-up
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit session-5.scope has finished starting up.
>> --
>> -- The start-up result is done.
>> May 19 06:47:00 ipa1.foo.net <http://ipa1.foo.net> sshd[1855]:
>> pam_unix(sshd:session): session opened for user root by (uid=0)
>> May 19 06:47:03 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Stopped 389 Directory Server WEDGEOFLI-ME..
>> -- Subject: Unit dirsrv at WEDGEOFLI-ME.service
>> <mailto:dirsrv at WEDGEOFLI-ME.service> has finished shutting down
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit dirsrv at WEDGEOFLI-ME.service
>> <mailto:dirsrv at WEDGEOFLI-ME.service> has finished shutting down.
>> May 19 06:47:03 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Stopping 389 Directory Server.
>> -- Subject: Unit dirsrv.target has begun shutting down
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit dirsrv.target has begun shutting down.
>> May 19 06:47:03 ipa1.foo.net <http://ipa1.foo.net> systemd[1]:
>> Stopped target 389 Directory Server.
>> -- Subject: Unit dirsrv.target has finished shutting down
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit dirsrv.target has finished shutting down.
>> [root at ipa1 ~]#
>>
>> Any thoughts on where to look next? There's nothing at all logged
>> in /var/log/krb5kdc.log when I try to start it up, and there are
>> so many pieces to this that I'm not sure where to focus my efforts.
>>
>> Thanks!
>>
>>
>> --
>> *Bret Wortman*
>>
>> http://damascusgrp.com/
>> http://about.me/wortmanbret
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/422c445b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 28526 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/422c445b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140519/422c445b/attachment.p7s>
More information about the Freeipa-users
mailing list