Gronde, Christopher (Contractor) wrote: > I restarted dirsrv and attempted to start krb5kdc and this is what the error > log shows > > # tail /var/log/dirsrv/slapd-ITMODEV-GOV/errors > [09/Nov/2015:11:01:02 -0500] - WARNING: userRoot: entry cache size 10485760B > is less than db size 28016640B; We recommend to increase the entry cache size > nsslapd-cachememsize. > [09/Nov/2015:11:01:02 -0500] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [09/Nov/2015:11:06:04 -0500] - slapd shutting down - signaling operation > threads > [09/Nov/2015:11:06:04 -0500] - slapd shutting down - closing down internal > subsystems and plugins > [09/Nov/2015:11:06:04 -0500] - Waiting for 4 database threads to stop > [09/Nov/2015:11:06:04 -0500] - All database threads now stopped > [09/Nov/2015:11:06:04 -0500] - slapd stopped. > [09/Nov/2015:11:14:20 -0500] - 389-Directory/1.2.11.15 B2015.247.1737 > starting up > [09/Nov/2015:11:14:20 -0500] - WARNING: userRoot: entry cache size 10485760B > is less than db size 28016640B; We recommend to increase the entry cache size > nsslapd-cachememsize. > [09/Nov/2015:11:14:20 -0500] - slapd started. Listening on All Interfaces > port 389 for LDAP requests
Ok, that's good. I'd do something like this to see what is in the db (substitute example.com with your domain): $ ldapsearch -x -D 'cn=Directory Manager' -W -s one -b cn=kerberos,dc=example,dc=com (don't post the output as it would include the kerberos master key). If that returns nothing that's bad. If it succeeds I'd broaden the search base a bit to see what data you do have: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=groups,cn=accounts,dc=example,dc=com I picked groups because usually groups << users in numbers. This is just to see if you have data in the tree. Let us know if either or both turns up nothing. rob > > -----Original Message----- > From: Alexander Bokovoy [mailto:[email protected]] > Sent: Monday, November 09, 2015 10:51 AM > To: Gronde, Christopher (Contractor) <[email protected]> > Cc: [email protected] > Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication > error) > > On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote: >> Hello all! >> >> On my replica IPA server after fixing a cert issue that had been going on >> for sometime, I have all my certs figured out but the krb5kdc service will >> not start. >> >> # service krb5kdc start >> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see >> log file for details [FAILED] >> >> # cat /var/log/krb5kdc.log >> krb5kdc: Server error - while fetching master key K/M for realm >> ITMODEV.GOV >> krb5kdc: Server error - while fetching master key K/M for realm >> ITMODEV.GOV >> krb5kdc: Server error - while fetching master key K/M for realm >> ITMODEV.GOV >> >> I found this article online: >> http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml >> >> Which stated it might be because The slave KDC does not have a stash >> file (.k5.EXAMPLE.COM). You need to create one. Tried the command >> listed: >> >> # kdb5_util stash >> kdb5_util: Server error while retrieving master entry >> >> No further information found on the proceeding error above for the kdb5_util >> command. >> >> Any thoughts? > First: don't use instructions which are not related to IPA, please. > > FreeIPA has its own LDAP driver for KDC and instructions for anything else do > not apply here at all. > > If you see 'Server error - while fetching master key ..' it means KDC LDAP > driver was unable to contact LDAP server. Does LDAP server work on the > replica? What is in its error log (/var/log/dirsrv/slapd-ITMODEV-GOV/errors)? > > -- > / Alexander Bokovoy > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
