On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote:
Hello all!

On my replica IPA server after fixing a cert issue that had been going on for 
sometime, I have all my certs figured out but the krb5kdc service will not 
start.

# service krb5kdc start
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see log 
file for details                  [FAILED]

# cat /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm ITMODEV.GOV
krb5kdc: Server error - while fetching master key K/M for realm ITMODEV.GOV
krb5kdc: Server error - while fetching master key K/M for realm ITMODEV.GOV

I found this article online:  
http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml

Which stated it might be because The slave KDC does not have a stash
file (.k5.EXAMPLE.COM). You need to create one.  Tried the command
listed:

# kdb5_util stash
kdb5_util: Server error while retrieving master entry

No further information found on the proceeding error above for the kdb5_util 
command.

Any thoughts?
First: don't use instructions which are not related to IPA, please.

FreeIPA has its own LDAP driver for KDC and instructions for anything
else do not apply here at all.

If you see 'Server error - while fetching master key ..' it means KDC
LDAP driver was unable to contact LDAP server. Does LDAP server work on
the replica? What is in its error log 
(/var/log/dirsrv/slapd-ITMODEV-GOV/errors)?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to