[Freeipa-users] krb5kdc will not start (kerberos authentication error)
Rob Crittenden
rcritten at redhat.com
Mon Nov 9 16:45:41 UTC 2015
Gronde, Christopher (Contractor) wrote:
> I restarted dirsrv and attempted to start krb5kdc and this is what the error log shows
>
> # tail /var/log/dirsrv/slapd-ITMODEV-GOV/errors
> [09/Nov/2015:11:01:02 -0500] - WARNING: userRoot: entry cache size 10485760B is less than db size 28016640B; We recommend to increase the entry cache size nsslapd-cachememsize.
> [09/Nov/2015:11:01:02 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests
> [09/Nov/2015:11:06:04 -0500] - slapd shutting down - signaling operation threads
> [09/Nov/2015:11:06:04 -0500] - slapd shutting down - closing down internal subsystems and plugins
> [09/Nov/2015:11:06:04 -0500] - Waiting for 4 database threads to stop
> [09/Nov/2015:11:06:04 -0500] - All database threads now stopped
> [09/Nov/2015:11:06:04 -0500] - slapd stopped.
> [09/Nov/2015:11:14:20 -0500] - 389-Directory/1.2.11.15 B2015.247.1737 starting up
> [09/Nov/2015:11:14:20 -0500] - WARNING: userRoot: entry cache size 10485760B is less than db size 28016640B; We recommend to increase the entry cache size nsslapd-cachememsize.
> [09/Nov/2015:11:14:20 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests
Ok, that's good.
I'd do something like this to see what is in the db (substitute
example.com with your domain):
$ ldapsearch -x -D 'cn=Directory Manager' -W -s one -b
cn=kerberos,dc=example,dc=com
(don't post the output as it would include the kerberos master key).
If that returns nothing that's bad.
If it succeeds I'd broaden the search base a bit to see what data you do
have:
$ ldapsearch -x -D 'cn=Directory Manager' -W -b
cn=groups,cn=accounts,dc=example,dc=com
I picked groups because usually groups << users in numbers. This is just
to see if you have data in the tree.
Let us know if either or both turns up nothing.
rob
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: Monday, November 09, 2015 10:51 AM
> To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)
>
> On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote:
>> Hello all!
>>
>> On my replica IPA server after fixing a cert issue that had been going on for sometime, I have all my certs figured out but the krb5kdc service will not start.
>>
>> # service krb5kdc start
>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see log file for details [FAILED]
>>
>> # cat /var/log/krb5kdc.log
>> krb5kdc: Server error - while fetching master key K/M for realm
>> ITMODEV.GOV
>> krb5kdc: Server error - while fetching master key K/M for realm
>> ITMODEV.GOV
>> krb5kdc: Server error - while fetching master key K/M for realm
>> ITMODEV.GOV
>>
>> I found this article online:
>> http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml
>>
>> Which stated it might be because The slave KDC does not have a stash
>> file (.k5.EXAMPLE.COM). You need to create one. Tried the command
>> listed:
>>
>> # kdb5_util stash
>> kdb5_util: Server error while retrieving master entry
>>
>> No further information found on the proceeding error above for the kdb5_util command.
>>
>> Any thoughts?
> First: don't use instructions which are not related to IPA, please.
>
> FreeIPA has its own LDAP driver for KDC and instructions for anything else do not apply here at all.
>
> If you see 'Server error - while fetching master key ..' it means KDC LDAP driver was unable to contact LDAP server. Does LDAP server work on the replica? What is in its error log (/var/log/dirsrv/slapd-ITMODEV-GOV/errors)?
>
> --
> / Alexander Bokovoy
>
>
More information about the Freeipa-users
mailing list