<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body smarttemplateinserted="true" bgcolor="#FFFFFF" text="#000000"> <div id="smartTemplate4-template">This is what the non-functional version looked like: <tt>includedir /var/lib/sss/pubconf/krb5.include.d/</tt><tt> </tt><tt> </tt><tt>[logging]</tt><tt> </tt><tt> default = <a class="moz-txt-link-freetext" href="FILE:/var/log/krb5libs.log">FILE:/var/log/krb5libs.log</a></tt><tt> </tt><tt> kdc = <a class="moz-txt-link-freetext" href="FILE:/var/log/krb5kdc.log">FILE:/var/log/krb5kdc.log</a></tt><tt> </tt><tt> admin_server = <a class="moz-txt-link-freetext" href="FILE:/var/log/kadmind.log">FILE:/var/log/kadmind.log</a></tt><tt> </tt><tt> </tt><tt>[libdefaults]</tt><tt> </tt><tt> default_realm = CLOUD.COM</tt><tt> </tt><tt> dns_lookup_realm = false</tt><tt> </tt><tt> dns_lookup_kdc = true</tt><tt> </tt><tt> rdns = false</tt><tt> </tt><tt> ticket_lifetime = 24h</tt><tt> </tt><tt> forwardable = yes</tt><tt> </tt><tt> </tt><tt>[realms]</tt><tt> </tt><tt> CLIFF.CLOUDBURRITO.COM = {</tt><tt> </tt><tt> kdc = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:88</tt><tt> </tt><tt> master_kdc = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:88</tt><tt> </tt><tt> admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749</tt><tt> </tt><tt> default_domain = cliff.cloudburrito.com</tt><tt> </tt><tt> pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a></tt><tt> </tt><tt>}</tt><tt> </tt><tt> </tt><tt> CLOUD.COM = {</tt><tt> </tt><tt> kdc = i-6775b715.ipa-server.us-east-1.cloud.com</tt><tt> </tt><tt> kdc = i-32e87151.ipa-server.us-east-1.cloud.com</tt><tt> </tt><tt> admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749</tt><tt> </tt><tt> }</tt><tt> </tt><tt> </tt><tt>[domain_realm]</tt><tt> </tt><tt> .cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM</tt><tt> </tt><tt> cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM</tt><tt> </tt><tt> </tt><tt> cloud.com = CLOUD.COM</tt><tt> </tt><tt> .cloud.com = CLOUD.COM</tt><tt> </tt><tt>[dbmodules]</tt><tt> </tt><tt> CLIFF.CLOUDBURRITO.COM = {</tt><tt> </tt><tt> db_library = ipadb.so</tt><tt> </tt><tt> }</tt> This is what I did to fix it: <tt>--- /etc/krb5.conf.orig 2014-04-08 12:33:01.376525373 -0400</tt><tt> </tt><tt>+++ /etc/krb5.conf 2014-04-08 12:33:33.214975855 -0400</tt><tt> </tt><tt>@@ -6,7 +6,7 @@</tt><tt> </tt><tt> admin_server = <a class="moz-txt-link-freetext" href="FILE:/var/log/kadmind.log">FILE:/var/log/kadmind.log</a></tt><tt> </tt><tt> </tt><tt> </tt><tt> [libdefaults]</tt><tt> </tt><tt>- default_realm = CLOUD.COM</tt><tt> </tt><tt>+ default_realm = CLIFF.CLOUDBURRITO.COM</tt><tt> </tt><tt> dns_lookup_realm = false</tt><tt> </tt><tt> dns_lookup_kdc = true</tt><tt> </tt><tt> rdns = false</tt><tt> </tt><tt>@@ -22,18 +22,10 @@</tt><tt> </tt><tt> pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a></tt><tt> </tt><tt> }</tt><tt> </tt><tt> </tt><tt> </tt><tt>- CLOUD.COM = {</tt><tt> </tt><tt>- kdc = i-6775b715.ipa-server.us-east-1.cloud.com</tt><tt> </tt><tt>- kdc = i-32e87151.ipa-server.us-east-1.cloud.com</tt><tt> </tt><tt>- admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749</tt><tt> </tt><tt>- }</tt><tt> </tt><tt>-</tt><tt> </tt><tt> [domain_realm]</tt><tt> </tt><tt> .cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM</tt><tt> </tt><tt> cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM</tt><tt> </tt><tt> </tt><tt> </tt><tt>- cloud.com = CLOUD.COM</tt><tt> </tt><tt>- .cloud.com = CLOUD.COM</tt><tt> </tt><tt> [dbmodules]</tt><tt> </tt><tt> CLIFF.CLOUDBURRITO.COM = {</tt><tt> </tt><tt> db_library = ipadb.so</tt> </div> -Patrick <div id="smartTemplate4-quoteHeader"> <hr> <div>From: Rob Crittenden <a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a></div> <div>Sent: 2014-04-08 13:33:53 E</div> <div>To: Patrick Hemmer <a class="moz-txt-link-rfc2396E" href="mailto:freeipa@stormcloud9.net"><freeipa@stormcloud9.net></a>, <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a></div> <div>Subject: Re: [Freeipa-users] /var/kerberos/krb5kdc/principal missing</div> </div> <blockquote cite="mid:53443301.5030207@redhat.com" type="cite">Patrick Hemmer wrote: <blockquote type="cite">Figured it out. Somehow during the upgrade process, the default_realm changed to one of our other domains we use. I'm guessing some RPM postinstall script pulled the domain out of sssd.conf as that's the only place on the box where that domain is mentioned. We don't touch krb5.conf with any sort of configuration management utility. Anyway, after removing the domain from the krb5.conf and restoring the original settings, ipa started up normally. </blockquote> That's really strange.. I wonder if authconfig is doing something. What exactly did the file look like? We do try to update it to fix the dbmodules line but we already know the realm and domain from /etc/ipa/default.conf. rob <blockquote type="cite"> -Patrick ------------------------------------------------------------------------ *From: *Patrick Hemmer <a class="moz-txt-link-rfc2396E" href="mailto:freeipa@stormcloud9.net"><freeipa@stormcloud9.net></a> *Sent: * 2014-04-08 11:52:34 E *To: *freeipa-users@redhat.com *Subject: *[Freeipa-users] /var/kerberos/krb5kdc/principal missing <blockquote type="cite">I'm having the exact same issue as <a class="moz-txt-link-freetext" href="http://www.redhat.com/archives/freeipa-users/2013-October/msg00009.html">http://www.redhat.com/archives/freeipa-users/2013-October/msg00009.html</a> I upgraded from RHEL-6.3 to RHEL-6.5, and now FreeIPA won't start due to kadmind not starting. The kadmind.log contains an extremely unhelpful: Apr 08 11:31:20 i-31f62969 kadmind[20850](Error): No such file or directory while initializing, aborting Stracing `/usr/sbin/kadmind -P /var/run/kadmind.pid` results in: open("/var/kerberos/krb5kdc/principal", O_RDONLY) = -1 ENOENT (No such file or directory) gettimeofday({1396971844, 51536}, NULL) = 0 open("/etc/localtime", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f25440dd000 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 3519 lseek(4, -2252, SEEK_CUR) = 1267 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 2252 close(4) = 0 munmap(0x7f25440dd000, 4096) = 0 write(3, "Apr 08 11:44:04 i-31f62969 kadmi"..., 105) = 105 write(2, "kadmind: No such file or directo"..., 64kadmind: No such file or directory while initializing, aborting) = 64 close(3) = 0 munmap(0x7f25440df000, 4096) = 0 exit_group(1) = ? As requested in the linked thread, the dbmodules section looks like this: [dbmodules] CLIFF.CLOUDBURRITO.COM = { db_library = ipadb.so } Another important item of note, I have another IPA server which has not been upgraded from 6.3 yet, and the file is missing there too, but kadmind is currently running just fine... Ideas? -Patrick _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> </blockquote> </body> </html>