On 01/25/2011 01:58 PM, James Roman wrote:
On 1/25/11 2:44 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 14:33:14 -0500
James Roman<james.ro...@ssaihq.com>  wrote:

On 01/25/2011 12:42 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 12:04:25 -0500
James Roman<james.ro...@ssaihq.com>   wrote:

I noticed today that one of our FreeIPA 1.2.2 servers has stopped
issuing tickets. When I attempt to restart all the IPA services the
krb5kdc service failed to restart with the following error:

krb5kdc: Unable to access Kerberos database - while initializing
database for realm DOMAIN.COM

I don't see any issues with the local LDAP database, or the kdc
account in the LDAP database. I suspect the problem is with the
ticket granting ticket on the problem server, but am unsure how to
go about validating this assertion. I have not tried to restart
the ipa services on the working server for fera that it might stop
working.
Do you see errors in /var/log/krb5kdc.log ?

Simo.

The error above is the only one that repeats in the krb5kdc.log when
I attempt to restart the krb5kdc service. The actual error that is
shown in standard out is:

Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM
- see log file for details
Ok can you check the dirsrv logs and see if the KDC is actually trying
(and perhaps getting auth refused) at all ?

/var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts
to access the LDAP server and bind as the uid=kdc..... user.

Simo.

Looks like an authentication failure:

[25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128 version=3 [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1

The ldappwd file on both systems look identical. I don't think that the SSL certificate comes into the equation, but I have no way of knowing whether it initiates TLS or not.
You can tell if the connection is using TLS/SSL because when the connection is opened you should see a log line that says what cipher suite is being used You can tell if client cert auth is being used because there will be a line for that too.
Look for conn=391 lines before this one

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to