On Wed, Jul 22, 2015 at 11:39:25AM +0200, Torsten Harenberg wrote: > Dear Alexander, dear Sumit, > > thank you very much indeed for the quick replies. > > Am 22.07.15 um 11:21 schrieb Sumit Bose: > > Looks like there are issues getting the needed data from the local LDAP > > server. The message below about the master key points into the same > > direction. Can you check the 389ds logs? > > I have attached the > /var/log/dirsrv/slapd-PLEIADES-UNI-WUPPERTAL-DE/errors file to the end > of the mail, it's a bit larger. > > There are some "ticket expired" messages, could that point to the source > of the problem? > > > Am 22.07.15 um 11:22 schrieb Alexander Bokovoy: > > Do you have 389-ds actually operating? If you would install debuginfo > > packages, what does 'pstack <pid of ns-slapd>' print? > > here is the output:
Thank you for the logs. It looks like the KDC cannot talk to the LDAP server and the LDAP server cannot talk to the KDC to renew a Kerberos ticket. So we have to find out which came first. To rule out KDC lookup issues it would be good if you can send the content for /etc/krb5.conf and /var/lib/sss/pubconf/kdcinfo.* . Feel free to send it to Alexander and me by private mail if you do not want to disclose details of your environment on a public list. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
