On ke, 15 elo 2018, Kat wrote:
I think you missed the point. This only happens randomly, but to
clarify - it also lists the host fully qualified.
Then show the log entries from krb5kdc.log.
One entry might list the host as host1.example.com and with a
username1 are the principal. The next entry is identical and it throws
the error as not in the database. The only difference is random times.
It comes from the exact same jobs, but these jobs run hourly for
example, and sometimes they fail, sometimes they don't.
Does that help at all? I will try to get exact log entries, just have
to sanitize them.
No, it doesn't. You need to show logs. Make sure to differentiate
between fqdn and non-fqdn in the sanitized logs too.
'Server not found in Kerberos database' is a clear error message that
says a Kerberos client attempts to obtain a ticket to a service KDC
doesn't know about. In most cases this is indeed about FQDN/non-FQDN
hostnames in use.
There are 3 conditions in KDC code for this error:
- an empty (NULL) target service was requested
- a target service Kerberos principal was not found
- a referral to the target service realm was not found
Theoretically, the latter two can be caused by an LDAP driver not being
able to look the entry for the target service Kerberos principal for
whatever reasons, but then we could see an error in either krb5kdc.log
or in the access log of the LDAP server, associated with the connection
used by the krb5kdc.
On 8/15/18 10:05, Alexander Bokovoy wrote:
On ke, 15 elo 2018, Kat via FreeIPA-users wrote:
Hi all --
RHEL 7.5 as of yesterday and 4.5.4-10.el7_5.3 FreeIPA.
I am randomly seeing: Server not found in Kerberos database
for a host that seems to work just fine and understand that most
of the time you see normal authentications happening for this same
host, so it is not happening all the time. Looking for guidance as
to where to look when one sees this kind of error popping up in
the IPA Server logs.
Can you show exact message from the /var/log/krb5kdc.log on the IPA
master?
A most likely reason for this is that you have clients configured with
non-fully qualified domain names and asking for tickets to such servers,
so that you get a request to, say, host/some-hostname@REALM instead of
host/some-hostname.my.domain@REALM.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2ZRCACA624XGDEURUIIA2NAGPQ5E37K3/
