Brian Vetter wrote:
We had to shut down our FREEIPA server and move it. When I brought it back up
again today (all same IPs, network, etc), it failed to come up. I see lots of
various forms of the following messages when trying to start the ipa, named,
and other services:
What do you mean by move it? Physically move a machine or did you try to
move the configuration?
rob
"Failed to init credentials (Cannot contact any KDC for realm ..."
"startup - The default password storage scheme SSHA could not be read or was not
found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
"startup - The default password storage scheme SSHA could not be read or was not
found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
"krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
"kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial
credentials"
From what I can surmise after seeing these, something in kerberos is messed up.
I don't know for sure if it is related, but I see that the files referenced in
/var/kerberos/krb5kdc/kdc.conf are not there. In particular,
pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I
go about recovering them? I've tried (with fingers crossed) "yum reinstall
freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to
fix this. They didn't. Still get the same errors.
Is there some backdoor way to recreate these files from elsewhere in the
install? Perhaps buried in the 389 directory server's database and accessible
using db4.4_dump or some other tools? If there is no way to recreate them, is
there a way to reassert new keys without having to start all over? And if I
have to start all over, is there anyway to extract some of the records from the
dir DB so I can reload them with a new server?
Thanks for any suggestions/guidance,
Brian
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users