Gronde, Christopher (Contractor) wrote: > Nothing bad came back and there is definitely data in the tree.
Ok, I guess I'd try to start the kdc again and then watch the 389-ds access log (buffered) to: 1. See if it is binding at all 2. See what the search is and what, if any, results were returned This would be in /var/log/dirsrv/slapd-YOUR_REALM/access rob > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Monday, November 09, 2015 11:46 AM > To: Gronde, Christopher (Contractor) <[email protected]>; > Alexander Bokovoy <[email protected]> > Cc: [email protected] > Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication > error) > > Gronde, Christopher (Contractor) wrote: >> I restarted dirsrv and attempted to start krb5kdc and this is what the >> error log shows >> >> # tail /var/log/dirsrv/slapd-ITMODEV-GOV/errors >> [09/Nov/2015:11:01:02 -0500] - WARNING: userRoot: entry cache size 10485760B >> is less than db size 28016640B; We recommend to increase the entry cache >> size nsslapd-cachememsize. >> [09/Nov/2015:11:01:02 -0500] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [09/Nov/2015:11:06:04 -0500] - slapd shutting down - signaling >> operation threads >> [09/Nov/2015:11:06:04 -0500] - slapd shutting down - closing down >> internal subsystems and plugins >> [09/Nov/2015:11:06:04 -0500] - Waiting for 4 database threads to stop >> [09/Nov/2015:11:06:04 -0500] - All database threads now stopped >> [09/Nov/2015:11:06:04 -0500] - slapd stopped. >> [09/Nov/2015:11:14:20 -0500] - 389-Directory/1.2.11.15 B2015.247.1737 >> starting up >> [09/Nov/2015:11:14:20 -0500] - WARNING: userRoot: entry cache size 10485760B >> is less than db size 28016640B; We recommend to increase the entry cache >> size nsslapd-cachememsize. >> [09/Nov/2015:11:14:20 -0500] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests > > Ok, that's good. > > I'd do something like this to see what is in the db (substitute example.com > with your domain): > > $ ldapsearch -x -D 'cn=Directory Manager' -W -s one -b > cn=kerberos,dc=example,dc=com > > (don't post the output as it would include the kerberos master key). > > If that returns nothing that's bad. > > If it succeeds I'd broaden the search base a bit to see what data you do > have: > > $ ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=groups,cn=accounts,dc=example,dc=com > > I picked groups because usually groups << users in numbers. This is just to > see if you have data in the tree. > > Let us know if either or both turns up nothing. > > rob > >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:[email protected]] >> Sent: Monday, November 09, 2015 10:51 AM >> To: Gronde, Christopher (Contractor) <[email protected]> >> Cc: [email protected] >> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos >> authentication error) >> >> On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote: >>> Hello all! >>> >>> On my replica IPA server after fixing a cert issue that had been going on >>> for sometime, I have all my certs figured out but the krb5kdc service will >>> not start. >>> >>> # service krb5kdc start >>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see >>> log file for details [FAILED] >>> >>> # cat /var/log/krb5kdc.log >>> krb5kdc: Server error - while fetching master key K/M for realm >>> ITMODEV.GOV >>> krb5kdc: Server error - while fetching master key K/M for realm >>> ITMODEV.GOV >>> krb5kdc: Server error - while fetching master key K/M for realm >>> ITMODEV.GOV >>> >>> I found this article online: >>> http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml >>> >>> Which stated it might be because The slave KDC does not have a stash >>> file (.k5.EXAMPLE.COM). You need to create one. Tried the command >>> listed: >>> >>> # kdb5_util stash >>> kdb5_util: Server error while retrieving master entry >>> >>> No further information found on the proceeding error above for the >>> kdb5_util command. >>> >>> Any thoughts? >> First: don't use instructions which are not related to IPA, please. >> >> FreeIPA has its own LDAP driver for KDC and instructions for anything else >> do not apply here at all. >> >> If you see 'Server error - while fetching master key ..' it means KDC LDAP >> driver was unable to contact LDAP server. Does LDAP server work on the >> replica? What is in its error log (/var/log/dirsrv/slapd-ITMODEV-GOV/errors)? >> >> -- >> / Alexander Bokovoy >> >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
