[Freeipa-users] krb5kdc will not start (kerberos authentication error)

Rich Megginson rmeggins at redhat.com
Tue Nov 10 17:59:46 UTC 2015 

On 11/10/2015 10:50 AM, Gronde, Christopher (Contractor) wrote:
> Is it possible to delete the mapping and try it and if it doesn't work or breaks something else add it back?  How would I go about deleting this mapping?  Or adding the mapping for principal name in the right order?

http://www.port389.org/docs/389ds/design/sasl-mapping-improvements-1-dot-3-1.html

However, looking at your version: 
https://www.redhat.com/archives/freeipa-users/2015-November/msg00124.html

You are using EL6 389-ds-base 1.2.11.x, which does not support the above 
sasl mapping improvements.

I have no idea how IPA is supposed to handle this situation with 
389-ds-base 1.2.11.

>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rich Megginson
> Sent: Tuesday, November 10, 2015 12:26 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)
>
> On 11/10/2015 10:25 AM, Ludwig Krispenz wrote:
>> On 11/10/2015 06:08 PM, Gronde, Christopher (Contractor) wrote:
>>>>> # Kerberos uid mapping, mapping, sasl, config
>>>>> dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
>>>>> objectClass: top
>>>>> objectClass: nsSaslMapping
>>>>> cn: Kerberos uid mapping
>>>>> nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
>>>>> nsSaslMapBaseDNTemplate: dc=\2,dc=\3
>>>>> nsSaslMapFilterTemplate: (uid=\1)
>>>> Looks like this mapping rule causes the issues with incorrectly
>>>> mapped service principals.
>>> Any idea what I need to do to fix it?
>> I don't know where this mapping comes from and if it is needed, so one
>> try would be to delete it.
>> Another attempt would be to change the order of the mappings, but this
>> would mean to rename them
> In the older code, the SASL mappings were applied in reverse alphabetical order, which is why cn=uid mapping,cn=mapping,cn=sasl,cn=config is being applied first.  I thought there had been changes to this, so that you could explicitly define the order in which the mappings were applied.
>
>>> -----Original Message-----
>>> From: Martin Babinsky [mailto:mbabinsk at redhat.com]
>>> Sent: Tuesday, November 10, 2015 12:03 PM
>>> To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>;
>>> Rob Crittenden <rcritten at redhat.com>; Ludwig Krispenz
>>> <lkrispen at redhat.com>; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos
>>> authentication error)
>>>
>>> On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote:
>>>> # ldapsearch -x -D 'cn=Directory Manager' -W -b
>>>> cn=mapping,cn=sasl,cn=config Enter LDAP Password:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <cn=mapping,cn=sasl,cn=config> with scope subtree # filter:
>>>> (objectclass=*) # requesting: ALL #
>>>>
>>>> # mapping, sasl, config
>>>> dn: cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsContainer
>>>> cn: mapping
>>>>
>>>> # Full Principal, mapping, sasl, config
>>>> dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsSaslMapping
>>>> nsSaslMapRegexString: \(.*\)@\(.*\)
>>>> cn: Full Principal
>>>> nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov
>>>> nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
>>>>
>>>> # Kerberos uid mapping, mapping, sasl, config
>>>> dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsSaslMapping
>>>> cn: Kerberos uid mapping
>>>> nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
>>>> nsSaslMapBaseDNTemplate: dc=\2,dc=\3
>>>> nsSaslMapFilterTemplate: (uid=\1)
>>> Looks like this mapping rule causes the issues with incorrectly
>>> mapped service principals.
>>>
>>>> # Name Only, mapping, sasl, config
>>>> dn: cn=Name Only,cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsSaslMapping
>>>> nsSaslMapRegexString: ^[^:@]+$
>>>> cn: Name Only
>>>> nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov
>>>> nsSaslMapFilterTemplate: (krbPrincipalName=&@ITMODEV.GOV)
>>>>
>>>> # rfc 2829 dn syntax, mapping, sasl, config
>>>> dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsSaslMapping
>>>> cn: rfc 2829 dn syntax
>>>> nsSaslMapRegexString: ^dn:\(.*\)
>>>> nsSaslMapBaseDNTemplate: \1
>>>> nsSaslMapFilterTemplate: (objectclass=*)
>>>>
>>>> # rfc 2829 u syntax, mapping, sasl, config
>>>> dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsSaslMapping
>>>> cn: rfc 2829 u syntax
>>>> nsSaslMapRegexString: ^u:\(.*\)
>>>> nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov
>>>> nsSaslMapFilterTemplate: (uid=\1)
>>>>
>>>> # uid mapping, mapping, sasl, config
>>>> dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
>>>> objectClass: top
>>>> objectClass: nsSaslMapping
>>>> cn: uid mapping
>>>> nsSaslMapRegexString: ^[^:@]+$
>>>> nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov
>>>> nsSaslMapFilterTemplate: (uid=&)
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 8
>>>> # numEntries: 7
>>>> [root at comipa02 ~]#
>>>>
>>>> -----Original Message-----
>>>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>>>> Sent: Tuesday, November 10, 2015 11:52 AM
>>>> To: Gronde, Christopher (Contractor)
>>>> <Christopher.Gronde at fincen.gov>; Ludwig Krispenz
>>>> <lkrispen at redhat.com>; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos
>>>> authentication error)
>>>>
>>>> Gronde, Christopher (Contractor) wrote:
>>>>> This gave me a huge return!  Appears to be a long list of all the
>>>>> servers and applications whose users authenticate to the IPA servers.
>>>>>
>>>>> ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
>>>>> "dc=itmodev,dc=gov" '(objectclass=krbprincipal)'
>>>>>
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>>
>>>>> # numResponses: 142
>>>>> # numEntries: 141
>>>> Right, we need to see the sasl mapping:
>>>>
>>>> $ ldapsearch -x -D 'cn=Directory Manager' -W -b
>>>> cn=mapping,cn=sasl,cn=config
>>>>
>>>> rob
>>>>
>>>>> -----Original Message-----
>>>>> From: freeipa-users-bounces at redhat.com
>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig
>>>>> Krispenz
>>>>> Sent: Tuesday, November 10, 2015 11:37 AM
>>>>> To: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos
>>>>> authentication error)
>>>>>
>>>>> what do you get if you search for "objectclass=krbprincipal" ?
>>>>>
>>>>> On 11/10/2015 05:27 PM, Rich Megginson wrote:
>>>>>> On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote:
>>>>>>> Neither came back with anything
>>>>>>>
>>>>>>> # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
>>>>>>> "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
>>>>>>> Enter LDAP Password:
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base <dc=itmodev,dc=gov> with scope subtree # filter:
>>>>>>> (uid=ldap/comipa01.itmodev.gov) # requesting: ALL #
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 2
>>>>>>> result: 0 Success
>>>>>>>
>>>>>>> # numResponses: 1
>>>>>>> [root at comipa02 ~]# ldapsearch -x -h 172.16.100.161 -D
>>>>>>> "cn=directory manager" -W -b "dc=itmodev,dc=gov"
>>>>>>> '(uid=ldap/*.gov)' uid Enter LDAP
>>>>>>> Password:
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base <dc=itmodev,dc=gov> with scope subtree # filter:
>>>>>>> (uid=ldap/*.gov) # requesting: uid #
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 2
>>>>>>> result: 0 Success
>>>>>>>
>>>>>>> # numResponses: 1
>>>>>> That means this server has no LDAP service principals? I'm not
>>>>>> sure how to recover IPA from this scenario.
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: freeipa-users-bounces at redhat.com
>>>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rich
>>>>>>> Megginson
>>>>>>> Sent: Tuesday, November 10, 2015 11:04 AM
>>>>>>> To: freeipa-users at redhat.com
>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos
>>>>>>> authentication error)
>>>>>>>
>>>>>>> On 11/10/2015 08:18 AM, Gronde, Christopher (Contractor) wrote:
>>>>>>>> Thank you!  I should have caught that...
>>>>>>>>
>>>>>>>> I changed the log level and then restarted dirsrv and attempted
>>>>>>>> to start krb5kdc and got the following...
>>>>>>> <snip>
>>>>>>>
>>>>>>> [10/Nov/2015:10:12:02 -0500] conn=5 fd=64 slot=64 connection from
>>>>>>> 172.16.100.208 to 172.16.100.161
>>>>>>> [10/Nov/2015:10:12:02 -0500] conn=5 op=0 BIND dn="" method=sasl
>>>>>>> version=3 mech=GSSAPI
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=0 RESULT err=14 tag=97
>>>>>>> nentries=0 etime=1, SASL bind in progress
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=1 BIND dn="" method=sasl
>>>>>>> version=3 mech=GSSAPI
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=1 RESULT err=14 tag=97
>>>>>>> nentries=0 etime=0, SASL bind in progress
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=2 BIND dn="" method=sasl
>>>>>>> version=3 mech=GSSAPI
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=Internal op=-1 SRCH
>>>>>>> base="dc=itmodev,dc=gov" scope=2
>>>>>>> filter="(uid=ldap/comipa01.itmodev.gov)" attrs=ALL
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=Internal op=-1 RESULT err=0
>>>>>>> tag=48
>>>>>>> nentries=0 etime=0
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=2 RESULT err=49 tag=97
>>>>>>> nentries=0
>>>>>>> etime=0
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=3 UNBIND
>>>>>>> [10/Nov/2015:10:12:03 -0500] conn=5 op=3 fd=64 closed - U1
>>>>>>>
>>>>>>> <snip>
>>>>>>>
>>>>>>> This is the SASL bind.  It thinks the principal in the Kerberos
>>>>>>> credential is "ldap/comipa01.itmodev.gov", and the SASL map tells
>>>>>>> the code to look for something with uid=ldap/comipa01.itmodev.gov
>>>>>>> under dc=itmodev,dc=gov.  However, this entry is not found:
>>>>>>> RESULT
>>>>>>> err=0
>>>>>>> tag=48 nentries=0.  nentries=0 means no entries matched the
>>>>>>> search criteria.
>>>>>>>
>>>>>>> You can do the search yourself with ldapsearch:
>>>>>>>
>>>>>>> ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
>>>>>>> "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
>>>>>>>
>>>>>>> If you want to find out if there is some other ldap principal, do
>>>>>>> a search like this:
>>>>>>>
>>>>>>> ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
>>>>>>> "dc=itmodev,dc=gov" '(uid=ldap/*.gov)' uid
>>>>>>>
>>>>>>>>> Ran into an error trying to set that
>>>>>>>>>
>>>>>>>>> # ldapmodify -a -D "cn=directory manager" -W Enter LDAP Password:
>>>>>>>>> dn: cn=config
>>>>>>>>> changetype: modify
>>>>>>>>> replace: nsslapd-acesslog-level
>>>>>>>>> : 260
>>>>>>>>>
>>>>>>>>> modifying entry "cn=config"
>>>>>>>>> ldap_modify: Server is unwilling to perform (53)
>>>>>>>>>               additional info: Unknown attribute
>>>>>>>>> nsslapd-acesslog-level will be ignored
>>>>>>>>>
>>>>>>>>> [root at comipa02 ~]# ldapmodify -a -D "cn=config" -W Enter LDAP
>>>>>>>>> Password:
>>>>>>>>> ldap_bind: Inappropriate authentication (48)
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>>>>>>>>> Sent: Tuesday, November 10, 2015 9:48 AM
>>>>>>>>> To: Gronde, Christopher (Contractor)
>>>>>>>>> <Christopher.Gronde at fincen.gov>
>>>>>>>>> Cc: freeipa-users at redhat.com
>>>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos
>>>>>>>>> authentication error)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 11/10/2015 03:32 PM, Gronde, Christopher (Contractor) wrote:
>>>>>>>>>> How do I change that log setting? Is that done in LDAP?  Using
>>>>>>>>>> ldapmodify?
>>>>>>>>> yes,
>>>>>>>>> ldapmodify ...
>>>>>>>>> dn: cn=config
>>>>>>>>> changetype: modify
>>>>>>>>> replace: nsslapd-acesslog-level
>>>>>>>>> nsslapd-acesslog-level: 260
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: freeipa-users-bounces at redhat.com
>>>>>>>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig
>>>>>>>>>> Krispenz
>>>>>>>>>> Sent: Tuesday, November 10, 2015 9:03 AM
>>>>>>>>>> To: freeipa-users at redhat.com
>>>>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos
>>>>>>>>>> authentication error)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 11/10/2015 02:40 PM, Alexander Bokovoy wrote:
>>>>>>>>>>> On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
>>>>>>>>>>>> Where can I verify or change the credentials it is trying to
>>>>>>>>>>>> use?
>>>>>>>>>>>> Is it my LDAP password?
>>>>>>>>>>> No, according to your logs, it is your LDAP master trying to
>>>>>>>>>>> replicate (push changes) to your LDAP replica:
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 fd=64 slot=64
>>>>>>>>>>>>> connection from <MASTER_IP> to <REPLICA_IP>
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=0 BIND dn=""
>>>>>>>>>>>>> method=sasl
>>>>>>>>>>>>> version=3 mech=GSSAPI
>>>>>>>>>> err=49 could also be a result if the entry which is mapped
>>>>>>>>>> from the principal is not found in the directory. A bit more
>>>>>>>>>> info could be gained by enabling logging of internal searches.
>>>>>>>>>> Set nsslapd-acesslog-level: 260
>>>>>>>>>>
>>>>>>>>>> and then look what internal searches are done during the
>>>>>>>>>> gssapi authentication
>>>>>>>>>>> If that is true, it would be ldap/<master> Kerberos principal
>>>>>>>>>>> talking to ldap/<replica> Kerberos principal. If that fails,
>>>>>>>>>>> it means master and replica KDCs have different understanding
>>>>>>>>>>> of both ldap/<master> and ldap/<replica> keys which most
>>>>>>>>>>> likely means keys were rotated on master and weren't
>>>>>>>>>>> propagated to replica.
>>>>>>>>>>>
>>>>>>>>>>> How to solve it? One possibility is to set master's hostname
>>>>>>>>>>> as KDC address in krb5.conf on replica, forcing LDAP server
>>>>>>>>>>> on replica to use master's KDC. I'm absolutely not sure this
>>>>>>>>>>> will actually work but at least it allows to see if we are
>>>>>>>>>>> indeed dealing with inconsistent state of service principals' keys.
>>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>>>>>>>>>>>> Sent: Tuesday, November 10, 2015 8:18 AM
>>>>>>>>>>>> To: Gronde, Christopher (Contractor)
>>>>>>>>>>>> <Christopher.Gronde at fincen.gov>
>>>>>>>>>>>> Cc: Rob Crittenden <rcritten at redhat.com>;
>>>>>>>>>>>> freeipa-users at redhat.com
>>>>>>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start
>>>>>>>>>>>> (kerberos authentication error)
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
>>>>>>>>>>>>> When I tried to start the service again I got no response
>>>>>>>>>>>>> from tail of the log, but this is a repeating entry I see
>>>>>>>>>>>>> in the access log
>>>>>>>>>>>>>
>>>>>>>>>>>>> [09/Nov/2015:15:01:04 -0500] conn=1 fd=64 slot=64
>>>>>>>>>>>>> connection from
>>>>>>>>>>>>> 127.0.0.1 to 127.0.0.1
>>>>>>>>>>>>> [09/Nov/2015:15:01:04 -0500] conn=1 op=-1 fd=64 closed - B1
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 fd=64 slot=64
>>>>>>>>>>>>> connection from <MASTER_IP> to <REPLICA_IP>
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=0 BIND dn=""
>>>>>>>>>>>>> method=sasl
>>>>>>>>>>>>> version=3 mech=GSSAPI
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=0 RESULT err=14
>>>>>>>>>>>>> tag=97
>>>>>>>>>>>>> nentries=0 etime=0, SASL bind in progress
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=1 BIND dn=""
>>>>>>>>>>>>> method=sasl
>>>>>>>>>>>>> version=3 mech=GSSAPI
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=1 RESULT err=14
>>>>>>>>>>>>> tag=97
>>>>>>>>>>>>> nentries=0 etime=0, SASL bind in progress
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=2 BIND dn=""
>>>>>>>>>>>>> method=sasl
>>>>>>>>>>>>> version=3 mech=GSSAPI
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=2 RESULT err=49
>>>>>>>>>>>>> tag=97
>>>>>>>>>>>>> nentries=0 etime=0
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=3 UNBIND
>>>>>>>>>>>>> [09/Nov/2015:15:02:01 -0500] conn=2 op=3 fd=64 closed - U1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Does anyone know what err=14 or err=49 are?
>>>>>>>>>>>> err=14 means SASL bind in progress -- i.e. multi-round
>>>>>>>>>>>> processing is ongoing. This is normal for SASL GSSAPI.
>>>>>>>>>>>>
>>>>>>>>>>>> err=49 is wrong password or username, i.e. credentials were
>>>>>>>>>>>> incorrect.
>>>>>>>>>>>> It may also mean that LDAP server side was unable to process
>>>>>>>>>>>> Kerberos negotiation due to not having a current Kerberos
>>>>>>>>>>>> ticket for own service
>>>>>>>>>>>> (LDAP) and trying to request it from the Kerberos KDC but
>>>>>>>>>>>> Kerberos KDC is down.
>>>>>>>>>>>>
>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>>>>>>>>>>>>> Sent: Monday, November 09, 2015 3:26 PM
>>>>>>>>>>>>> To: Gronde, Christopher (Contractor)
>>>>>>>>>>>>> <Christopher.Gronde at fincen.gov>; Alexander Bokovoy
>>>>>>>>>>>>> <abokovoy at redhat.com>
>>>>>>>>>>>>> Cc: freeipa-users at redhat.com
>>>>>>>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start
>>>>>>>>>>>>> (kerberos authentication error)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Gronde, Christopher (Contractor) wrote:
>>>>>>>>>>>>>> Nothing bad came back and there is definitely data in the
>>>>>>>>>>>>>> tree.
>>>>>>>>>>>>> Ok, I guess I'd try to start the kdc again and then watch
>>>>>>>>>>>>> the 389-ds access log (buffered) to:
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. See if it is binding at all 2. See what the search is
>>>>>>>>>>>>> and what, if any, results were returned
>>>>>>>>>>>>>
>>>>>>>>>>>>> This would be in /var/log/dirsrv/slapd-YOUR_REALM/access
>>>>>>>>>>>>>
>>>>>>>>>>>>> rob
>>>>>>>>>>>>>
>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>>>>>>>>>>>>>> Sent: Monday, November 09, 2015 11:46 AM
>>>>>>>>>>>>>> To: Gronde, Christopher (Contractor)
>>>>>>>>>>>>>> <Christopher.Gronde at fincen.gov>; Alexander Bokovoy
>>>>>>>>>>>>>> <abokovoy at redhat.com>
>>>>>>>>>>>>>> Cc: freeipa-users at redhat.com
>>>>>>>>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start
>>>>>>>>>>>>>> (kerberos authentication error)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Gronde, Christopher (Contractor) wrote:
>>>>>>>>>>>>>>> I restarted dirsrv and attempted to start krb5kdc and
>>>>>>>>>>>>>>> this is what the error log shows
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # tail /var/log/dirsrv/slapd-ITMODEV-GOV/errors
>>>>>>>>>>>>>>> [09/Nov/2015:11:01:02 -0500] - WARNING: userRoot: entry
>>>>>>>>>>>>>>> cache size 10485760B is less than db size 28016640B; We
>>>>>>>>>>>>>>> recommend to increase the entry cache size
>>>>>>>>>>>>>>> nsslapd-cachememsize.
>>>>>>>>>>>>>>> [09/Nov/2015:11:01:02 -0500] - slapd started. Listening
>>>>>>>>>>>>>>> on All Interfaces port 389 for LDAP requests
>>>>>>>>>>>>>>> [09/Nov/2015:11:06:04 -0500] - slapd shutting down -
>>>>>>>>>>>>>>> signaling operation threads
>>>>>>>>>>>>>>> [09/Nov/2015:11:06:04 -0500] - slapd shutting down -
>>>>>>>>>>>>>>> closing down internal subsystems and plugins
>>>>>>>>>>>>>>> [09/Nov/2015:11:06:04 -0500] - Waiting for 4 database
>>>>>>>>>>>>>>> threads to stop
>>>>>>>>>>>>>>> [09/Nov/2015:11:06:04 -0500] - All database threads now
>>>>>>>>>>>>>>> stopped
>>>>>>>>>>>>>>> [09/Nov/2015:11:06:04 -0500] - slapd stopped.
>>>>>>>>>>>>>>> [09/Nov/2015:11:14:20 -0500] - 389-Directory/1.2.11.15
>>>>>>>>>>>>>>> B2015.247.1737 starting up
>>>>>>>>>>>>>>> [09/Nov/2015:11:14:20 -0500] - WARNING: userRoot: entry
>>>>>>>>>>>>>>> cache size 10485760B is less than db size 28016640B; We
>>>>>>>>>>>>>>> recommend to increase the entry cache size
>>>>>>>>>>>>>>> nsslapd-cachememsize.
>>>>>>>>>>>>>>> [09/Nov/2015:11:14:20 -0500] - slapd started. Listening
>>>>>>>>>>>>>>> on All Interfaces port 389 for LDAP requests
>>>>>>>>>>>>>> Ok, that's good.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'd do something like this to see what is in the db
>>>>>>>>>>>>>> (substitute example.com with your domain):
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> $ ldapsearch -x -D 'cn=Directory Manager' -W -s one -b
>>>>>>>>>>>>>> cn=kerberos,dc=example,dc=com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> (don't post the output as it would include the kerberos
>>>>>>>>>>>>>> master key).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If that returns nothing that's bad.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If it succeeds I'd broaden the search base a bit to see
>>>>>>>>>>>>>> what data you do
>>>>>>>>>>>>>> have:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> $ ldapsearch -x -D 'cn=Directory Manager' -W -b
>>>>>>>>>>>>>> cn=groups,cn=accounts,dc=example,dc=com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I picked groups because usually groups << users in numbers.
>>>>>>>>>>>>>> This is just to see if you have data in the tree.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Let us know if either or both turns up nothing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> rob
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>>>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>>>>>>>>>>>>>>> Sent: Monday, November 09, 2015 10:51 AM
>>>>>>>>>>>>>>> To: Gronde, Christopher (Contractor)
>>>>>>>>>>>>>>> <Christopher.Gronde at fincen.gov>
>>>>>>>>>>>>>>> Cc: freeipa-users at redhat.com
>>>>>>>>>>>>>>> Subject: Re: [Freeipa-users] krb5kdc will not start
>>>>>>>>>>>>>>> (kerberos authentication error)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote:
>>>>>>>>>>>>>>>> Hello all!
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On my replica IPA server after fixing a cert issue that
>>>>>>>>>>>>>>>> had been going on for sometime, I have all my certs
>>>>>>>>>>>>>>>> figured out but the krb5kdc service will not start.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # service krb5kdc start
>>>>>>>>>>>>>>>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize
>>>>>>>>>>>>>>>> realm ITMODEV.GOV - see log file for details [FAILED]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # cat /var/log/krb5kdc.log
>>>>>>>>>>>>>>>> krb5kdc: Server error - while fetching master key K/M
>>>>>>>>>>>>>>>> for realm ITMODEV.GOV
>>>>>>>>>>>>>>>> krb5kdc: Server error - while fetching master key K/M
>>>>>>>>>>>>>>>> for realm ITMODEV.GOV
>>>>>>>>>>>>>>>> krb5kdc: Server error - while fetching master key K/M
>>>>>>>>>>>>>>>> for realm ITMODEV.GOV
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I found this article online:
>>>>>>>>>>>>>>>> http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.
>>>>>>>>>>>>>>>> sh
>>>>>>>>>>>>>>>> t
>>>>>>>>>>>>>>>> m
>>>>>>>>>>>>>>>> l
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Which stated it might be because The slave KDC does not
>>>>>>>>>>>>>>>> have a stash file (.k5.EXAMPLE.COM). You need to create
>>>>>>>>>>>>>>>> one.
>>>>>>>>>>>>>>>> Tried the command
>>>>>>>>>>>>>>>> listed:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # kdb5_util stash
>>>>>>>>>>>>>>>> kdb5_util: Server error while retrieving master entry
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> No further information found on the proceeding error
>>>>>>>>>>>>>>>> above for the kdb5_util command.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Any thoughts?
>>>>>>>>>>>>>>> First: don't use instructions which are not related to
>>>>>>>>>>>>>>> IPA, please.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> FreeIPA has its own LDAP driver for KDC and instructions
>>>>>>>>>>>>>>> for anything else do not apply here at all.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you see 'Server error - while fetching master key ..'
>>>>>>>>>>>>>>> it means KDC LDAP driver was unable to contact LDAP server.
>>>>>>>>>>>>>>> Does LDAP server work on the replica? What is in its
>>>>>>>>>>>>>>> error log (/var/log/dirsrv/slapd-ITMODEV-GOV/errors)?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>
>>> --
>>> Martin^3 Babinsky
>>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list