No. They are running on Fedora 17 on bare metal.

Brian

On Jul 9, 2013, at 2:30 PM, Rich Megginson wrote:

> On 07/09/2013 01:08 PM, Brian Vetter wrote:
>> Copying dse.ldif.bak worked.
> 
> Great!  Are these systems running on a VM?
> 
>> 
>> Thanks,
>> 
>> Brian
>> 
>> On Jul 9, 2013, at 1:53 PM, Rich Megginson wrote:
>> 
>>> On 07/09/2013 12:49 PM, Brian Vetter wrote:
>>>> Here is the directory listing ...
>>>> 
>>>> On Jul 8, 2013, at 8:13 PM, Rich Megginson wrote:
>>>> 
>>>>> On 07/08/2013 06:15 PM, Brian Vetter wrote:
>>>>>> We had to shut down our FREEIPA server and move it. When I brought it 
>>>>>> back up again today (all same IPs, network, etc), it failed to come up. 
>>>>>> I see lots of  various forms of the following messages when trying to 
>>>>>> start the ipa, named, and other services:
>>>>>> 
>>>>>> "Failed to init credentials (Cannot contact any KDC for realm ..."
>>>>>> "startup - The default password storage scheme SSHA could not be read or 
>>>>>> was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It 
>>>>>> is mandatory."
>>>>>> "startup - The default password storage scheme SSHA could not be read or 
>>>>>> was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is 
>>>>>> mandatory."
>>>>> ls -alrtF /etc/dirsrv/slapd-*
>>>> # ls -alrtF /etc/dirsrv/slapd-*
>>>> /etc/dirsrv/slapd-PKI-IPA:
>>>> total 484
>>>> -r--r-----. 1 pkisrv dirsrv  33763 Sep 25  2012 dse_original.ldif
>>>> -r--r-----. 1 pkisrv dirsrv   3595 Sep 25  2012 certmap.conf
>>>> -r--r-----. 1 pkisrv dirsrv   5366 Sep 25  2012 slapd-collations.conf
>>>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 secmod.db.orig
>>>> -rw-------. 1 pkisrv dirsrv     40 Sep 25  2012 pwdfile.txt
>>>> -r--------. 1 pkisrv dirsrv     66 Sep 25  2012 pin.txt
>>>> drwxrwxr-x. 6 root   dirsrv   4096 Sep 25  2012 ../
>>>> -rw-rw----. 1 pkisrv dirsrv  16384 Sep 25  2012 key3.db.orig
>>>> -rw-rw----. 1 pkisrv dirsrv  65536 Sep 25  2012 cert8.db.orig
>>>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.startOK
>>>> drwxrwx---. 2 pkisrv dirsrv   4096 Jun 24 15:33 schema/
>>>> -rw-------. 1 pkisrv root    16384 Jun 24 15:33 secmod.db
>>>> -rw-------. 1 pkisrv dirsrv 111599 Jun 24 15:33 dse.ldif.bak
>>>> -rw-------. 1 pkisrv dirsrv      0 Jul  3 18:43 dse.ldif
>>>> drwxrwx---. 3 pkisrv dirsrv   4096 Jul  3 18:43 ./
>>>> -rw-------. 1 pkisrv root    16384 Jul  8 21:31 key3.db
>>>> -rw-------. 1 pkisrv root    65536 Jul  8 21:31 cert8.db
>>>> 
>>>> /etc/dirsrv/slapd-TESTREALM-COM:
>>>> total 1316
>>>> -r--r-----. 1 dirsrv dirsrv 33866 Sep 25  2012 dse_original.ldif
>>>> -r--r-----. 1 dirsrv dirsrv  5366 Sep 25  2012 slapd-collations.conf
>>>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 secmod.db.orig
>>>> -rw-------. 1 dirsrv dirsrv    40 Sep 25  2012 pwdfile.txt
>>>> -r--------. 1 dirsrv dirsrv    66 Sep 25  2012 pin.txt
>>>> -r--r-----. 1 dirsrv dirsrv  3637 Sep 25  2012 certmap.conf
>>>> -rw-rw----. 1 dirsrv dirsrv 16384 Sep 25  2012 key3.db.orig
>>>> -rw-rw----. 1 dirsrv dirsrv 65536 Sep 25  2012 cert8.db.orig
>>>> drwxrwxr-x. 6 root   dirsrv  4096 Sep 25  2012 ../
>>>> -rw-------. 1 dirsrv root   88102 Oct 16  2012 
>>>> dse.ldif.ipa.7536ea943b6ffd19
>>>> -rw-------. 1 dirsrv root   88050 Oct 18  2012 
>>>> dse.ldif.ipa.b321343f4245e859
>>>> -rw-------. 1 dirsrv root   88050 Oct 28  2012 
>>>> dse.ldif.ipa.6f187ed275f2c8d6
>>>> -rw-------. 1 dirsrv root   88050 Oct 31  2012 
>>>> dse.ldif.ipa.a77259fe47a3f1ef
>>>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 
>>>> dse.ldif.ipa.45e94baeae26de8b
>>>> -rw-------. 1 dirsrv root   88050 Dec  5  2012 
>>>> dse.ldif.ipa.df63ce99558b2b8b
>>>> -rw-------. 1 dirsrv root   88361 Dec 19  2012 
>>>> dse.ldif.ipa.2808d9c2613eaf22
>>>> -rw-------. 1 dirsrv root   88361 Jan 21 14:22 
>>>> dse.ldif.ipa.da912fc817573d85
>>>> -rw-------. 1 dirsrv root   88361 Mar 16 14:03 
>>>> dse.ldif.ipa.17df93a6a8d16ed9
>>>> -rw-------. 1 dirsrv root   88361 Jun 24 15:33 
>>>> dse.ldif.ipa.f5dec6078ee62fe5
>>>> -rw-------. 1 dirsrv dirsrv 88359 Jun 24 15:33 dse.ldif.startOK
>>>> drwxrwx---. 2 dirsrv dirsrv  4096 Jun 24 15:33 schema/
>>>> -rw-------. 1 dirsrv root   16384 Jun 24 15:33 secmod.db
>>>> -rw-------. 1 dirsrv dirsrv 88361 Jun 24 15:33 dse.ldif.bak
>>>> -rw-------. 1 root   root       0 Jul  3 18:43 
>>>> dse.ldif.ipa.e9532be9acc9603f
>>>> -rw-------. 1 root   root       0 Jul  3 18:43 
>>>> dse.ldif.ipa.5cec24995ad13b30
>>>> -rw-------. 1 dirsrv dirsrv     0 Jul  3 18:43 dse.ldif
>>>> drwxrwx---. 3 dirsrv dirsrv  4096 Jul  8 18:50 ./
>>>> -rw-------. 1 dirsrv root   16384 Jul  8 21:31 key3.db
>>>> -rw-------. 1 dirsrv root   65536 Jul  8 21:31 cert8.db
>>> if 389/dirsrv is not running, you can replace the 0 length dse.ldif with 
>>> the dse.ldif.bak.
>>> cp -p dse.ldif.bak dse.ldif
>>> 
>>> We have fixed this issue in 1.3.2
>>> 
>>> Are these servers running in a VM?
>>>>>> "krb5kdc: Server error - while fetching master key K/M for realm 
>>>>>> TESTREALM.COM"
>>>>>> "kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting 
>>>>>> initial credentials"
>>>>>> 
>>>>>> >From what I can surmise after seeing these, something in kerberos is 
>>>>>> >messed up. I don't know for sure if it is related, but I see that the 
>>>>>> >files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In 
>>>>>> >particular,
>>>>>> 
>>>>>> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
>>>>>> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
>>>>>> 
>>>>>> If this is likely the case (or perhaps just the first thing I've run 
>>>>>> into that is wrong), how do I go about recovering them? I've tried (with 
>>>>>> fingers crossed) "yum reinstall freeipa-server" and "yum update 
>>>>>> freeipa-server" hoping that they'd see the need to fix this. They 
>>>>>> didn't. Still get the same errors.
>>>>>> 
>>>>>> Is there some backdoor way to recreate these files from elsewhere in the 
>>>>>> install? Perhaps buried in the 389 directory server's database and 
>>>>>> accessible using db4.4_dump or some other tools? If there is no way to 
>>>>>> recreate them, is there a way to reassert new keys without having to 
>>>>>> start all over? And if I have to start all over, is there anyway to 
>>>>>> extract some of the records from the dir DB so I can reload them with a 
>>>>>> new server?
>>>>>> 
>>>>>> Thanks for any suggestions/guidance,
>>>>>> 
>>>>>> Brian
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to