This is what the non-functional version looked like: includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CLOUD.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] CLIFF.CLOUDBURRITO.COM = { kdc = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:88 master_kdc = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:88 admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749 default_domain = cliff.cloudburrito.com pkinit_anchors = FILE:/etc/ipa/ca.crt } CLOUD.COM = { kdc = i-6775b715.ipa-server.us-east-1.cloud.com kdc = i-32e87151.ipa-server.us-east-1.cloud.com admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749 } [domain_realm] .cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM cloud.com = CLOUD.COM .cloud.com = CLOUD.COM [dbmodules] CLIFF.CLOUDBURRITO.COM = { db_library = ipadb.so } This is what I did to fix it: --- /etc/krb5.conf.orig 2014-04-08 12:33:01.376525373 -0400 +++ /etc/krb5.conf 2014-04-08 12:33:33.214975855 -0400 @@ -6,7 +6,7 @@ admin_server = FILE:/var/log/kadmind.log [libdefaults] - default_realm = CLOUD.COM + default_realm = CLIFF.CLOUDBURRITO.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false @@ -22,18 +22,10 @@ pkinit_anchors = FILE:/etc/ipa/ca.crt } - CLOUD.COM = { - kdc = i-6775b715.ipa-server.us-east-1.cloud.com - kdc = i-32e87151.ipa-server.us-east-1.cloud.com - admin_server = i-31f62969.ipa-server.us-west-1.cliff.cloudburrito.com:749 - } - [domain_realm] .cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM cliff.cloudburrito.com = CLIFF.CLOUDBURRITO.COM - cloud.com = CLOUD.COM - .cloud.com = CLOUD.COM [dbmodules] CLIFF.CLOUDBURRITO.COM = { db_library = ipadb.so -Patrick ------------------------------------------------------------------------ *From: *Rob Crittenden <rcrit...@redhat.com> *Sent: * 2014-04-08 13:33:53 E *To: *Patrick Hemmer <free...@stormcloud9.net>, freeipa-users@redhat.com *Subject: *Re: [Freeipa-users] /var/kerberos/krb5kdc/principal missing > Patrick Hemmer wrote: >> Figured it out. >> Somehow during the upgrade process, the default_realm changed to one of >> our other domains we use. I'm guessing some RPM postinstall script >> pulled the domain out of sssd.conf as that's the only place on the box >> where that domain is mentioned. We don't touch krb5.conf with any sort >> of configuration management utility. >> >> Anyway, after removing the domain from the krb5.conf and restoring the >> original settings, ipa started up normally. > > That's really strange.. I wonder if authconfig is doing something. > What exactly did the file look like? We do try to update it to fix the > dbmodules line but we already know the realm and domain from > /etc/ipa/default.conf. > > rob > >> >> -Patrick >> >> >> ------------------------------------------------------------------------ >> *From: *Patrick Hemmer <free...@stormcloud9.net> >> *Sent: * 2014-04-08 11:52:34 E >> *To: *freeipa-users@redhat.com >> *Subject: *[Freeipa-users] /var/kerberos/krb5kdc/principal missing >> >>> I'm having the exact same issue as >>> http://www.redhat.com/archives/freeipa-users/2013-October/msg00009.html >>> I upgraded from RHEL-6.3 to RHEL-6.5, and now FreeIPA won't start due >>> to kadmind not starting. >>> >>> The kadmind.log contains an extremely unhelpful: >>> Apr 08 11:31:20 i-31f62969 kadmind[20850](Error): No such file or >>> directory while initializing, aborting >>> >>> Stracing `/usr/sbin/kadmind -P /var/run/kadmind.pid` results in: >>> open("/var/kerberos/krb5kdc/principal", O_RDONLY) = -1 ENOENT (No such >>> file or directory) >>> gettimeofday({1396971844, 51536}, NULL) = 0 >>> open("/etc/localtime", O_RDONLY) = 4 >>> fstat(4, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 >>> fstat(4, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0 >>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>> 0) = 0x7f25440dd000 >>> read(4, >>> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., >>> 4096) = 3519 >>> lseek(4, -2252, SEEK_CUR) = 1267 >>> read(4, >>> "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., >>> 4096) = 2252 >>> close(4) = 0 >>> munmap(0x7f25440dd000, 4096) = 0 >>> write(3, "Apr 08 11:44:04 i-31f62969 kadmi"..., 105) = 105 >>> write(2, "kadmind: No such file or directo"..., 64kadmind: No such >>> file or directory while initializing, aborting) = 64 >>> close(3) = 0 >>> munmap(0x7f25440df000, 4096) = 0 >>> exit_group(1) = ? >>> >>> As requested in the linked thread, the dbmodules section looks like >>> this: >>> [dbmodules] >>> CLIFF.CLOUDBURRITO.COM = { >>> db_library = ipadb.so >>> } >>> >>> Another important item of note, I have another IPA server which has >>> not been upgraded from 6.3 yet, and the file is missing there too, but >>> kadmind is currently running just fine... >>> >>> Ideas? >>> >>> -Patrick >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users